Skip to content

Palo Alto API – URL-Safe Password Generation (Avoid Double Encoding)

Overview

When working with the Palo Alto or Panorama API, authentication credentials are often passed as URL query parameters.

If a password contains special characters, it may require URL percent-encoding.

A common failure scenario occurs when an already encoded value is encoded again, resulting in %25 sequences and authentication errors.

This article shows a **safe and recommended approach**: generating passwords that never require URL encoding.

Why Double Encoding Causes API Failures

Double encoding typically looks like this:

  • Original character: Z

  • Encoded once: %5A

  • Encoded again: %255A

When this happens, the Palo Alto API interprets the password incorrectly and returns authentication errors such as **Invalid Credential (403)**.

Recommended Solution: URL-Safe Passwords

Generate passwords using only characters that are safe in URLs and do not change when encoded.

URL-safe character set

  • Uppercase letters: A–Z

  • Lowercase letters: a–z

  • Numbers: 0–9

  • Symbols: - \_ . ~

Passwords generated using this set:

  • Do not require URL encoding

  • Can be safely copied into scripts and tools

  • Eliminate double-encoding risks

Python Script – Generate URL-Safe Password

Use the following Python script to generate a strong, URL-safe password.


import secrets

import string



# Characters that NEVER change when URL-encoded

URL_SAFE_CHARS = string.ascii_letters + string.digits + "-\_.~"



def generate_password(length=32):

    return "".join(secrets.choice(URL_SAFE_CHARS) for _ in range(length))



if __name__ == "__main__":

    pwd = generate_password()

    print("Generated password:")

    print(pwd)

Example Output

Generated password:

Qx3_.dM-2aZV~C6LHSu

How to Run the Script (Windows)

Save the file as generate_url_safe_password.py

Open Command Prompt

Navigate to the file location

Run one of the following:

python generate_url_safe_password.py

or

How to Use This Password in Palo Alto API

Use the generated password as-is

Do NOT URL encode the password

Do NOT encode it again in Postman, curl, or automation scripts

If %25 appears in the final value, the password was encoded more than once.

Summary

Using URL-safe passwords is the simplest and most reliable way to avoid authentication issues with Palo Alto and Panorama APIs.

This approach removes the need for manual encoding and prevents common automation errors caused by double encoding.