Use the Ticket API with the Arctic Wolf API environment

To configure a pull-based API ITSM ticket integration, use the Organizations and Ticket API. You can use the Arctic Wolf specification documentation to interact with these APIs.

This procedure uses the specifications files in the Arctic Wolf Help Documentation. If you prefer using Postman or a similar tool, see Use the Ticket API with a third-party API tool.

Arctic Wolf tenants are distributed across multiple regions, called Arctic Wolf PODs. To configure ITSM ticket integration using the Ticket API, you need to know the POD and organization ID of the tenant. Get this information using the Organizations API, and then invoke the Ticket API.

Complete this procedure if you want to retrieve tickets for your own organization or if you are a Managed Service Provider (MSP) or parent company that wants to retrieve tickets for a customer or subsidiary organization.

Create a personal API Key

Personal API keys allow you to integrate with your IT service management (ITSM) software by providing authentication and authorization in accessing Arctic Wolf APIs.

Note: Use the Unified Portal for this task, not the MSP portal. If you are a conglomerate or MSP customer, we recommend creating the PAK in the parent or MSP internal Unified Portal. If you create the PAK within a child or MSP child customer portal, the PAK will still be associated to your User permissions, not based on the Org you create the PAK in.
  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Personal API Keys.
  3. Click Create an API Key.
  4. In the Name field, enter a name to identify the API key. For example, the third-party application that will use the key.
  5. In the Expiry field, select the time period after which the API key will expire.
  6. Click Create Key.
  7. Copy the token to a safe, encrypted location.
    After closing the window, you will not be able to view the token again.

Invoke the Organizations API

Invoke this API is to determine which Arctic Wolf organization ID and regions, also known as PODs, are related to your organization, also known as the tenant.

  1. Navigate to Organizations API specifications and click Organization List API in the navigation menu.
  2. In the Auth section, in the token field, enter the personal API key from Create a personal API Key.
  3. Optional: In the Parameters section, in the root field, enter either the target organization ID or customer ID.
    If you leave this field blank, the API uses the ID from the personal API key.
  4. Click Send API Request.
  5. Copy the sample curl request.
    For example:
    CODE 
    curl <api_endpoint> -H "Authorization: Bearer <pak>" > data.json
  6. Add a pipe and a jq command to the curl command.
    For example:
    JSON 
    curl <api_endpoint> -H "Authorization: Bearer <pak>" > data.json | jq '.[] | {name, pod, id}'
    The jq command helps format JSON output, extract specific fields, and filter results.
  7. Run the curl command locally.
    You can use tools such as Terminal, Insomnia, or Bruno.
    Sample output:
    JSON 
    {
  "name": "Sample account 1",
  "pod": "us001",
  "id": "<uuid_1>"
}
{
  "name": "Sample account 2",
  "pod": "us002",
  "id": "<uuid_2>"
}
  8. Copy the name of the POD and the organization ID, and then save them in a safe, encrypted location.

Invoke the Ticket API

To invoke the Ticket API, select a POD to integrate with based on your findings in the Organizations API.

Note: Complete these steps for every POD that you need to integrate with.
  1. Navigate to Ticket API specifications and select the applicable API.
  2. In the Auth section, in the token field, enter the personal API key from Create a personal API Key.
  3. In the Parameters section:
    1. In the organizationUuid field, enter the organization ID identified in Invoke the Organizations API.
    2. Add values to additional parameters as needed.
      Specifying values in the parameter fields filters the results. Leaving fields blank returns results for all available options.

      The Ticket API uses the limit and offset parameters to paginate results. These parameters are comparable to the limit and offset clauses in SQL: limit specifies how many rows to return, while offset specifies how many rows to skip before starting. Together, they determine how many items appear on each page and which page of results is returned. For example, to view tickets 1-100, set the offset value to 0 and the limit to 100. To view tickets 101-200, set the offset value to 100 and the limit to 100. To view all tickets, run the API and refer to the value in the total parameter.

  4. In the Servers list, select the POD identified in Invoke the Organizations API.
    Note: You can only invoke the Ticket API for one POD at a time.
  5. Click Send API Request.
  6. Copy the sample curl request.
    For example:
    CODE 
    curl <api_endpoint> -H "Authorization: Bearer <pak>" > data.json
  7. Run the curl command locally.
    You can use tools such as Terminal, Insomnia, or Bruno.
    Sample output:
    JSON 
    {
  "results": [
    {
      "id": 12345,
      "title": "Cannot log in",
      "description": "User reports login failure",
      "organizationUuid": "550e8400-e29b-41d4-a716-446655440000",
      "status": "OPEN",
      "assignee": {
        "firstName": "John",
        "lastName": "Doe",
        "email": "agent@example.com"
      },
      "priority": "HIGH",
      "type": "INCIDENT",
      "createdAt": "2025-07-31T10:00:00Z",
      "updatedAt": "2025-08-01T12:00:00Z",
      "commentCount": 2,
      "attachmentCount": 1,
      "comments": [
        {
          "id": 90001,
          "body": "Investigating the issue.",
          "author": {
            "firstName": "John",
            "lastName": "Doe",
            "email": "agent@example.com"
          },
          "createdAt": "2025-08-01T11:00:00Z",
          "type": "PUBLIC"
        }
      ],
      "attachments": [
        {
          "id": 70001,
          "commentId": 90001,
          "deleted": false,
          "filename": "auth-log.txt",
          "contentType": "text/plain",
          "createdAt": "2025-08-01T11:01:00Z"
        }
      ]
    }
  ],
  "meta": {
    "offset": 0,
    "limit": 20,
    "total": 1
  }
}