Include Additional Fields in API Responses
Overview
When creating, retrieving, or updating data, you can use the fields query parameter to include additional fields that are not included in the API response by default.
To use the fields query parameter, append ?fields={fieldName} to the end of the request URL. To include multiple fields in the API response, separate each key-value pair with an ampersand (&). For example, to include data for associated Groups and Tags in an API response, append ?fields=associatedGroups&fields=tags to the end of the request URL.
Retrieve a List of Available Fields for an Endpoint
Send a request in the following format to retrieve a list of fields you can include in responses returned from an object’s endpoint:
OPTIONS /v3/{objectType}/fields
For example, the following request will retrieve a list of fields you can include in responses returned from the /v3/indicators endpoint:
OPTIONS /v3/indicators/fields
JSON Response
{
"data": [
{
"description": "Includes artifacts with a relationship to the indicator",
"includedByDefault": false,
"name": "associatedArtifacts"
},
{
"description": "Includes cases with a relationship to the indicator",
"includedByDefault": false,
"name": "associatedCases"
},
{
"description": "Includes groups related to the indicator",
"includedByDefault": false,
"name": "associatedGroups"
},
{
"description": "Includes indicators related to the indicator",
"includedByDefault": false,
"name": "associatedIndicators"
},
{
"description": "Includes the name of the association if this indicator is part of an association with another indicator",
"includedByDefault": false,
"name": "associationName"
},
{
"description": "Includes attributes related to the indicator",
"includedByDefault": false,
"name": "attributes"
},
{
"description": "Includes indicators with custom associations to the indicator",
"includedByDefault": false,
"name": "customAssociations"
},
{
"description": "Includes DNS resolution data related to the Host indicators",
"includedByDefault": false,
"name": "dnsResolution"
},
{
"description": "Includes Enrichment data related to the indicator",
"includedByDefault": false,
"name": "enrichment"
},
{
"description": "Includes date fields defined in external applications",
"includedByDefault": false,
"name": "externalDates"
},
{
"description": "Includes the False Positives fields falsePositives and lastFalsePositive",
"includedByDefault": false,
"name": "falsePositives"
},
{
"description": "Includes indicators related to the indicator by file action",
"includedByDefault": false,
"name": "fileActions"
},
{
"description": "Includes file occurrences related to the indicator",
"includedByDefault": false,
"name": "fileOccurrences"
},
{
"description": "Includes the following fields, over-writing the custom field names: value1, value2, and value3",
"includedByDefault": false,
"name": "genericCustomIndicatorValues"
},
{
"description": "Includes GEO location information related to the Host and IP indicators",
"includedByDefault": false,
"name": "geoLocation"
},
{
"description": "Includes investigation links related to the indicator type",
"includedByDefault": false,
"name": "investigationLinks"
},
{
"description": "Includes the Observations fields observations and lastObserved",
"includedByDefault": false,
"name": "observations"
},
{
"description": "Includes security labels related to the indicator",
"includedByDefault": false,
"name": "securityLabels"
},
{
"description": "Includes date fields specific to the sighting reported",
"includedByDefault": false,
"name": "sightings"
},
{
"description": "Includes tags related to the indicator",
"includedByDefault": false,
"name": "tags"
},
{
"description": "Includes the Threat Assess fields threatAssessRating, threatAssessScore, and threatAssessConfidence",
"includedByDefault": false,
"name": "threatAssess"
},
{
"description": "Includes Observations and False Positive stats of tracked users",
"includedByDefault": false,
"name": "trackedUsers"
},
{
"description": "Includes WhoIs information related to the Host indicators",
"includedByDefault": false,
"name": "whoIs"
}
],
"count": 23,
"status": "Success"
}
Example Requests
This section provides example requests demonstrating sample use cases for the fields query parameter.
Include an Indicator’s CAL and ThreatAssess Information
The following request will retrieve data for the Indicator whose ID is 4, including CAL™ and ThreatAssess information for the Indicator:
GET /v3/indicators/4?fields=threatAssess
JSON Response
{
"data": {
"id": 4,
"ownerId": 1,
"ownerName": "Demo Organization",
"dateAdded": "2023-01-26T21:00:03Z",
"webLink": "https://app.threatconnect.com/#/details/indicators/4/overview",
"type": "Host",
"lastModified": "2023-01-27T14:25:55Z",
"rating": 5.00,
"confidence": 65,
"threatAssessRating": 4.0,
"threatAssessConfidence": 0.0,
"threatAssessScore": 405,
"threatAssessScoreObserved": 0,
"threatAssessScoreFalsePositive": 0,
"calScore": 410,
"summary": "ultrabadguy.com",
"privateFlag": false,
"active": true,
"activeLocked": false,
"hostName": "ultrabadguy.com",
"dnsActive": false,
"whoisActive": true,
"legacyLink": "https://app.threatconnect.com/auth/indicators/details/host.xhtml?host=ultrabadguy.com&owner=Demo+Organization"
},
"status": "Success"
}
Attention
It is recommended to ignore the threatAssessRating and threatAssessConfidence fields and their values, as these are legacy fields.
Include Observations For an Indicator
The following request will retrieve data for the ultrabadguy.com Host Indicator in the API user’s Organization, including the number of times the Indicator has been observed and the date and time when it was last observed:
GET /v3/indicators/ultrabadguy.com?fields=observations
JSON Response
{
"data": {
"id": 4,
"dateAdded": "2023-01-26T21:00:03Z ",
"ownerId": 1,
"ownerName": "Demo Organization",
"webLink": "https://app.threatconnect.com/#/details/indicators/4",
"type": "Host",
"lastModified": "2023-01-27T14:25:55Z ",
"rating": 4.00,
"confidence": 51,
"source": "Host used by hacker conglomerate tracked to Iran.",
"description": "Indicator associated with malware-connected VPN network.",
"summary": "ultrabadguy.com",
"observations": 5,
"lastObserved": "2023-01-27T03:16:30Z",
"privateFlag": false,
"active": true,
"activeLocked": false,
"hostName": "ultrabadguy.com",
"dnsActive": false,
"whoisActive": false,
"legacyLink": "https://app.threatconnect.com/auth/indicators/details/host.xhtml?host=ultrabadguy.com&owner=Demo+Organization"
},
"status": "Success"
}
Include False Positive Reports For an Indicator
The following request will retrieve data for the ultrabadguy.com Host Indicator in the API user’s Organization, including the number of times the Indicator was reported as a false positive and the date and time when it was last reported as a false positive:
GET /v3/indicators/ultrabadguy.com?fields=falsePositives
JSON Response
{
"data": {
"id": 4,
"dateAdded": "2023-01-26T21:00:03Z ",
"ownerId": 1,
"ownerName": "Demo Organization",
"webLink": "https://app.threatconnect.com/#/details/indicators/4",
"type": "Host",
"lastModified": "2023-01-27T14:25:55Z ",
"rating": 4.00,
"confidence": 51,
"source": "Host used by hacker conglomerate tracked to Iran.",
"description": "Indicator associated with malware-connected VPN network.",
"summary": "ultrabadguy.com",
"falsePositives": 2,
"lastFalsePositive": "2023-01-27T00:00:00Z",
"falsePositiveReportedByUser": false,
"privateFlag": false,
"active": true,
"activeLocked": false,
"hostName": "ultrabadguy.com",
"dnsActive": false,
"whoisActive": false,
"legacyLink": "https://app.threatconnect.com/auth/indicators/details/host.xhtml?host=ultrabadguy.com&owner=Demo+Organization"
},
"status": "Success"
}
Include Observations and False Positives Reported by API Users
The following request will retrieve data for the Indicator whose ID is 4, including observations and false positives reported by API users in the Organization:
GET /v3/indicators/4?fields=trackedUsers
JSON Response
{
"data": {
"id": 4,
"ownerId": 1,
"ownerName": "Demo Organization",
"dateAdded": "2023-01-26T21:00:03Z",
"webLink": "https://app.threatconnect.com/#/details/indicators/4/overview",
"type": "Host",
"lastModified": "2023-01-27T14:25:55Z",
"rating": 5.00,
"summary": "ultrabadguy.com",
"trackedUsers": {
"John Smith": {
"observations": 5,
"lastObserved": "2023-01-27T03:16:30Z",
"falsePositives": 1,
"lastFalsePositive": "2023-01-27T00:00:00Z"
}
},
"privateFlag": false,
"active": true,
"activeLocked": false,
"hostName": "ultrabadguy.com",
"dnsActive": false,
"whoisActive": false,
"legacyLink": "https://app.threatconnect.com/auth/indicators/details/host.xhtml?host=ultrabadguy.com&owner=Demo+Organization"
},
"status": "Success"
}
Include Sightings and External Timestamps
When working with Groups and Indicators, you can specify details about when the object was first and last seen. You can also provide external date and time information for the object, including when it was created, when it was last modified, and when it expires externally.
The following request will retrieve data for the Group whose ID is 20, including when it was first and last seen (sightings) and external date and time information for the Group (externalDates):
GET /v3/groups/20?fields=sightings&fields=externalDates
JSON Response
{
"data": {
"id": 20,
"dateAdded": "2023-08-25T12:44:47Z",
"ownerId": 3,
"ownerName": "Demo Source",
"webLink": "https://app.threatconnect.com/#/details/groups/20/overview",
"type": "Adversary",
"name": "Nefarious",
"createdBy": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization"
},
"upVoteCount": "0",
"downVoteCount": "0",
"externalDateAdded": "2023-08-25T18:23:43Z",
"externalLastModified": "2023-08-26T18:23:43Z",
"externalDateExpires": "2023-08-30T18:23:43Z",
"firstSeen": "2023-08-25T18:23:43Z",
"lastSeen": "2023-08-26T18:23:43Z",
"lastModified": "2023-09-25T12:44:47Z",
"legacyLink": "https://app.threatconnect.com/auth/adversary/adversary.xhtml?adversary=20"
},
"status": "Success"
}
Include an AI Summary of a Group
As of ThreatConnect version 7.12, AI summaries may be generated for Document, Event, and Report Groups in ThreatConnect. Using the v3 API, you can retrieve a Group’s AI summary by assigning the fields query parameter a value of insights. If the Group has an AI summary, one of the following fields will be included in the response body, depending on how the AI-generated summary was created:
customAiContent: Contains an AI summary generated by a user. User-generated AI summaries are created when a user clicks Generate on the AI Insights card on a Group’s Details screen or when an API user assigns a value to a Group’scustomAiContentfield.insights: Contains an AI summary automatically generated by CAL Doc Analysis or Dataminr. These summaries are provided for Report Groups in the CAL Automated Threat Library Source and Event Groups in the Dataminr Cyber Pulse Limited or Dataminr Pulse Alerts Engine feeds.
Note
If a Group’s insights and customAiContent fields have values assigned to them, both fields will be included in the response body.
In the following example, the request will retrieve data for the Report Group whose ID is 48002, including an AI summary generated by CAL Doc Analysis:
GET /v3/groups/48002?fields=insights
JSON Response
{
"data": {
"id": 48002,
"dateAdded": "2026-06-02T11:00:04Z",
"ownerId": 56,
"ownerName": "CAL Automated Threat Library",
"webLink": "https://app.threatconnect.com/#/details/groups/48002",
"type": "Report",
"xid": "b40bdb6f519bbf62898980b928ed1fa26b16b642354e9ea55535adce2be56084",
"name": "Fake virus alerts are invading mobile games",
"createdBy": {
"userName": "ApiUser-cal_automated_threat_library",
"firstName": "ApiUser",
"lastName": "CAL Automated Threat Library",
"owner": "CAL Automated Threat Library"
},
"upVoteCount": "0",
"downVoteCount": "0",
"generatedReport": false,
"fileName": "None",
"status": "Awaiting Upload",
"documentType": "None",
"insights": {
"summary": "Cybercriminals are exploiting mobile gaming platforms by purchasing legitimate advertising space to display fake virus alerts and security warnings. These scams typically use urgent scare tactics, claiming devices are infected, storage is full, or accounts are compromised due to visiting adult websites. Common examples include fake iCloud storage warnings demanding payment details for upgrades, false Apple security alerts claiming multiple viruses detected, and messages impersonating ISPs or security departments. The ultimate goal is tricking users into installing malicious apps ranging from adware to infostealers, or fleeceware applications that charge hidden subscription fees costing hundreds monthly. To stay protected, users should ignore these alerts since legitimate system warnings come from the operating system, not game windows. Key safety measures include verifying URLs against official domains, checking app store reviews and permissions before downloading, accessing accounts through official websites rather than suspicious links, and using real-time anti-malware solutions. The distinction between genuine OS-level alerts and fake in-game warnings is crucial for identifying these increasingly sophisticated mobile gaming scams.",
"app": "TextSummarizer",
"aiProvider": "CAL Doc Analysis",
"markdown": "Here is a concise bullet point report and summary based on the cyber threat report:\n\nBULLET POINTS:\n\n* Cybercriminals are purchasing advertising space in mobile games to display fake virus alerts and security warnings to defraud users\n* Common scam tactics include fake iCloud/OneDrive storage warnings, false device infection alerts, and fake Apple security messages claiming immediate action is required\n* Scammers use scare tactics with urgent language like 'device will lock in two minutes' or 'account restricted' to pressure users into clicking malicious links\n* Victims may be tricked into installing adware, infostealers, or fleeceware apps that charge hidden subscription fees up to hundreds of dollars monthly\n* Real system alerts come from the operating system, not from within games or browser windows - this is a key indicator to identify scams\n* Users should verify URLs from official sources, check app store reviews and permissions, and access accounts through official websites rather than clicking suspicious links\n* Anti-malware solutions with real-time protection can help detect and block these malicious apps and phishing attempts\n\nSUMMARY:\n\nCybercriminals are exploiting mobile gaming platforms by purchasing legitimate advertising space to display fake virus alerts and security warnings. These scams typically use urgent scare tactics, claiming devices are infected, storage is full, or accounts are compromised due to visiting adult websites. Common examples include fake iCloud storage warnings demanding payment details for upgrades, false Apple security alerts claiming multiple viruses detected, and messages impersonating ISPs or security departments. The ultimate goal is tricking users into installing malicious apps ranging from adware to infostealers, or fleeceware applications that charge hidden subscription fees costing hundreds monthly. To stay protected, users should ignore these alerts since legitimate system warnings come from the operating system, not game windows. Key safety measures include verifying URLs against official domains, checking app store reviews and permissions before downloading, accessing accounts through official websites rather than suspicious links, and using real-time anti-malware solutions. The distinction between genuine OS-level alerts and fake in-game warnings is crucial for identifying these increasingly sophisticated mobile gaming scams.\n",
"bullets": [
"Cybercriminals are purchasing advertising space in mobile games to display fake virus alerts and security warnings to defraud users",
"Common scam tactics include fake iCloud/OneDrive storage warnings, false device infection alerts, and fake Apple security messages claiming immediate action is required",
"Scammers use scare tactics with urgent language like 'device will lock in two minutes' or 'account restricted' to pressure users into clicking malicious links",
"Victims may be tricked into installing adware, infostealers, or fleeceware apps that charge hidden subscription fees up to hundreds of dollars monthly",
"Real system alerts come from the operating system, not from within games or browser windows - this is a key indicator to identify scams",
"Users should verify URLs from official sources, check app store reviews and permissions, and access accounts through official websites rather than clicking suspicious links",
"Anti-malware solutions with real-time protection can help detect and block these malicious apps and phishing attempts"
]
},
"documentDateAdded": "2026-06-02T11:00:04Z",
"lastModified": "2026-06-02T11:00:04Z",
"legacyLink": "https://app.threatconnect.com/auth/report/report.xhtml?report=48002",
"publishDate": "2026-06-02T00:00:00Z"
},
"status": "Success"
}
Attention
Artificial intelligence (AI) summarizers use algorithms and AI to condense text into shorter summaries, saving time and effort. However, summaries generated from non-English content may have lower accuracy than those generated from English content.
Include Additional Association Levels for a Field
When using the fields query parameter, you can request additional association levels for a field (e.g., requesting an object’s Attributes and the Security Labels applied to the Attributes). To accomplish this, use dot notation when setting the value for the fields query parameter.
For example, the following request will retrieve data for the Indicator whose ID is 4 and include Groups associated to the Indicator and Attributes added to those Groups in the response. To accomplish this, ?fields=associatedGroups.attributes is appended to the end of the request URL.
GET /v3/indicators/4?fields=associatedGroups.attributes
JSON Response
{
"data": {
"id": 4,
"ownerId": 1,
"ownerName": "Demo Organization",
"dateAdded": "2023-01-26T21:00:03Z",
"webLink": "https://app.threatconnect.com/#/details/indicators/4/overview",
"type": "Host",
"lastModified": "2023-01-27T14:25:55Z",
"rating": 5.00,
"confidence": 65,
"summary": "ultrabadguy.com",
"privateFlag": false,
"active": true,
"activeLocked": false,
"associatedGroups": {
"data": [
{
"id": 12,
"ownerId": 2,
"ownerName": "Demo Source",
"dateAdded": "2023-01-26T21:00:03Z",
"webLink": "https://app.threatconnect.com/#/details/groups/12/overview",
"type": "Adversary",
"name": "Bad Guy",
"createdBy": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization"
},
"upVoteCount": "0",
"downVoteCount": "0",
"attributes": {
"data": [
{
"id": 10,
"dateAdded": "2023-02-02T18:26:06Z",
"type": "Adversary Type",
"value": "This is a very bad Adversary type.",
"createdBy": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization"
},
"lastModified": "2023-02-02T18:26:06Z",
"pinned": true,
"default": true
}
]
},
"lastModified": "2023-02-02T18:26:06Z",
"legacyLink": "https://app.threatconnect.com/auth/adversary/adversary.xhtml?adversary=12"
}
]
},
"hostName": "ultrabadguy.com",
"dnsActive": false,
"whoisActive": true,
"legacyLink": "https://app.threatconnect.com/auth/indicators/details/host.xhtml?host=ultrabadguy.com&owner=Demo+Organization"
},
"status": "Success"
}
By default, you can retrieve only one association level at a time. To retrieve more than one association level at a time, contact your System Administrator and have them complete one of the following actions:
Enable the Allow User to Exceed API Link Limit setting on your API user account. Instructions for enabling this setting are available in the “Creating an API User” section of Managing User Accounts.
Update the v3 API link limit in system settings to allow for more than one association level to be retrieved at a time.
The following example demonstrates how to retrieve two association levels in a single request. The request will retrieve data for the Indicator whose ID is 4 and include the following data in the API response:
Groups associated to the Indicator
Attributes added to those Groups (the first association level)
Security Labels applied to those Attributes (the second association level)
To accomplish this, ?fields=associatedGroups.attributes.securityLabels is appended to the end of the request URL.
GET /v3/indicators/4?fields=associatedGroups.attributes.securityLabels
JSON Response
{
"data": {
"id": 4,
"ownerId": 1,
"ownerName": "Demo Organization",
"dateAdded": "2023-01-26T21:00:03Z",
"webLink": "https://app.threatconnect.com/#/details/indicators/4/overview",
"type": "Host",
"lastModified": "2023-01-27T14:25:55Z",
"rating": 5.00,
"confidence": 65,
"summary": "ultrabadguy.com",
"privateFlag": false,
"active": true,
"activeLocked": false,
"associatedGroups": {
"data": [
{
"id": 12,
"ownerId": 2,
"ownerName": "Demo Source",
"dateAdded": "2023-01-26T21:00:03Z",
"webLink": "https://app.threatconnect.com/#/details/groups/12/overview",
"type": "Adversary",
"name": "Bad Guy",
"createdBy": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization"
},
"upVoteCount": "0",
"downVoteCount": "0",
"attributes": {
"data": [
{
"id": 10,
"dateAdded": "2023-02-02T18:26:06Z",
"securityLabels": {
"data": [
{
"id": 3,
"name": "TLP:AMBER",
"description": "This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.",
"color": "FFC000",
"owner": "System",
"dateAdded": "2016-08-31T00:00:00Z"
}
]
},
"type": "Adversary Type",
"value": "This is a very bad Adversary type.",
"createdBy": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization"
},
"lastModified": "2023-02-02T18:26:06Z",
"pinned": true,
"default": true
}
]
},
"lastModified": "2023-02-02T18:26:06Z",
"legacyLink": "https://app.threatconnect.com/auth/adversary/adversary.xhtml?adversary=12"
}
]
},
"hostName": "ultrabadguy.com",
"dnsActive": false,
"whoisActive": true,
"legacyLink": "https://app.threatconnect.com/auth/indicators/details/host.xhtml?host=ultrabadguy.com&owner=Demo+Organization"
},
"status": "Success"
}
Include Details About the User Who Created an Object
Responses for some objects include a createdBy field, which includes subfields that provide details about the user who created the object. By default, the createdBy field includes the following subfields:
idusernamefirstNamelastNamepseudonymowner
To include more details about the user that created an object, append ?fields=userDetails to the end of the request URL. Note that additional subfields will be included within the createdBy field only for API users with Read permission for user accounts (i.e., API user accounts with an Organization role of Organization Administrator).
For example, the following request will retrieve data for the Group whose ID is 12 and return additional details about the user who created the Group.
GET /v3/groups/12?fields=userDetails
JSON Response (Without Read Permissions)
{
"data": {
"id": 12,
"ownerId": 2,
"ownerName": "Demo Source",
"dateAdded": "2023-01-26T21:00:03Z",
"webLink": "https://app.threatconnect.com/#/details/groups/12/overview",
"type": "Adversary",
"name": "Bad Guy",
"createdBy": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization",
},
"upVoteCount": "0",
"downVoteCount": "0",
"lastModified": "2023-02-02T18:26:06Z",
"legacyLink": "https://app.threatconnect.com/auth/adversary/adversary.xhtml?adversary=12"
},
"status": "Success"
}
JSON Response (With Read Permissions)
{
"data": {
"id": 12,
"ownerId": 2,
"ownerName": "Demo Source",
"dateAdded": "2023-01-26T21:00:03Z",
"webLink": "https://app.threatconnect.com/#/details/groups/12/overview",
"type": "Adversary",
"name": "Bad Guy",
"createdBy": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization",
"lastPasswordChange": "2022-10-13T14:31:59Z",
"termsAccepted": false,
"logoutIntervalMinutes": 30,
"systemRole": "Api User",
"ownerRoles": {
"Demo Community": "Director",
"Demo Organization": "Organization Administrator",
"Demo Source": "Director"
},
"disabled": false,
"locked": false,
"passwordResetRequired": false,
"twoFactorResetRequired": false
},
"upVoteCount": "0",
"downVoteCount": "0",
"lastModified": "2023-02-02T18:26:06Z",
"legacyLink": "https://app.threatconnect.com/auth/adversary/adversary.xhtml?adversary=12"
},
"status": "Success"
}
Combine the “tql” and “fields” Query Parameters
You can combine the tql and fields query parameters in a single API request, allowing you to filter results using ThreatConnect Query Language (TQL) and include additional fields in the API response.
For example, the following request will retrieve data for all Indicators with a Threat Rating greater than or equal to 4 and include data for Tags and Attributes added to each Indicator in the API response.
Request (Decoded URL)
GET /v3/indicators?tql=rating GEQ 4&fields=tags&fields=attributes
Request (Encoded URL)
GET /v3/indicators?tql=rating%20GEQ%204&fields=tags&fields=attributes
Note
Depending on the tool you are using to interact with the ThreatConnect API, it may be necessary to encode the request URL manually if it includes query parameters. For example, some tools may accept /v3/indicators?tql=ownerName GEQ 4&fields=tags&fields=attributes as a valid request URL and encode it automatically, while others may require you to encode the request URL manually. If you send a request with query parameters and a 401 Unauthorized error is returned, verify whether the request URL is encoded properly for the API tool you are using.