Section 01
01Overview & Status
The ESET Connect API Reference Console is a fully self-contained, browser-based developer portal for the ESET Connect REST API. It serves as an interactive reference, live endpoint explorer, quick-start code library, and operational status page — all in a single HTML file deployed inside the KrawTech toolchain.
v3.8
API Version
Feb 2026 — latest
13
API Domains
Full ESET Connect surface
OAuth2
Auth Method
Password grant only
DEMO
Live Mode
Proxy required for live data
◈ What This Tool Is
A single-file HTML dashboard that presents ESET Connect's full REST API surface in a navigable, searchable console. It is used for:
- ▸ Quick endpoint lookup and triage during incident response — finding the right API call without digging through Swagger docs
- ▸ Code sample reference (Python & PowerShell) for automation development against ESET PROTECT Cloud
- ▸ Interactive demo explorer with simulated mock responses — functional without live credentials
- ▸ OAuth playground, region reference, rate limit visualizer, changelog, and operational status page
⚡ Current Deploy State
PROXY PENDING
⚠
The API Explorer and live data features are in demo/mock mode. All responses are simulated. Full live functionality activates when the backend proxy is deployed.
| Feature | Status |
|---|---|
| Navigation & search | Live |
| Code examples (Python/PS) | Live |
| Mock API Explorer | Live |
| Changelog / Status page | Live |
| Live API calls | Proxy required |
| Real token auth flow | Proxy required |
| Live detection feed | Proxy required |
Section 02
02Integration Status
Current state of the ESET Connect dashboard within the broader KrawTech platform. Shows which system connections are active, pending, or deferred.
⇄ Platform Connection Map
| System | Direction | Protocol | Status | Notes |
|---|---|---|---|---|
| ESET Connect REST API | Dashboard → ESET | HTTPS / OAuth2 | Demo only | Mock responses active. Live calls pending proxy. |
| ESET PROTECT Cloud | Read/Write | REST v1/v2 | Proxy required | Detections, devices, policies, quarantine via API. |
| OAuth 2.0 Token Service | Dashboard → ESET auth | Password grant | Proxy required | All regions: {region}.connect.eset.com/oauth/token |
| Syslog / SIEM Export | ESET → SIEM | TCP Syslog | Config reference only | Dashboard shows config instructions; no direct integration. |
| Swagger / OAS3 Spec | External link | HTTPS | Live (external) | help.eset.com/eset_connect/en-US/swagger_calls.html |
🔮
Activates when proxy is live: Real-time detection feed counter on the Home panel, actual API response payloads in the Explorer, live token acquisition via the OAuth playground, and live stat card data (device count, detection count, events today).
Section 03
03Architecture
The dashboard is a single self-contained HTML file with no build step, no external dependencies beyond Google Fonts, and no server-side logic. All state is in-memory. The proxy layer is the sole external dependency for live data.
Browser
Single HTML file
→
Dashboard
stack-eset.html
→
Proxy Layer
Token + CORS relay
→
ESET Connect
REST API
→
ESET PROTECT
Cloud platform
◈ File Structure
Structure
# Single-file deployment
stack-eset.html
├── <head>
│ ├── Google Fonts (Orbitron, Share Tech Mono, Rajdhani)
│ └── <style> — all CSS, design tokens
│
├── <body>
│ ├── #ktc-demo-bar ← demo/home nav bar
│ ├── .topbar ← fixed header + search
│ ├── .sidebar ← nav (13 sections)
│ └── .main ← page sections (15 views)
│
└── <script>
├── go(id) ← page navigation
├── buildRequest() ← API explorer logic
├── MOCK{} ← mock response data
├── initLiveStats() ← animated stat counters
└── tickFeed() ← live detection ticker
⚙ Runtime Behavior
| Component | Behavior |
|---|---|
| initLiveStats() | Animates 4 stat counters on load (threats, agents, calls, events). Polls every 4s with random deltas. |
| tickFeed() | Cycles through 10 hardcoded detection feed items every 3s with slide-in animation. |
| getMock(url) | Matches Explorer request URL to MOCK{} object, returns fake JSON with simulated latency (350–850ms). |
| searchFilter(q) | Keyword-to-page router. Maps search terms to nav sections, calls go() on first match. |
| animateRateBars() | Animates rate limit progress bars from 0% on Rate Limits page load. |
| updateStatusClock() | Updates UTC timestamp on Status page every second. |
◈ Navigation System
The dashboard uses a custom single-page navigation model. All 15 content sections exist in the DOM simultaneously; display:none / .on toggling via go(id) handles transitions. No routing library, no history API, no hash routing.
JavaScript
function go(id) {
document.querySelectorAll('.page').forEach(p => p.classList.remove('on'));
document.querySelectorAll('.sb-item').forEach(i => i.classList.remove('active'));
document.getElementById('p-' + id).classList.add('on');
document.getElementById('n-' + id).classList.add('active');
document.getElementById('main').scrollTop = 0;
}
Section 04
04Home Panel
The landing page of the console. Provides live-animated stat cards, a scrolling detection feed ticker, a quick endpoint reference, and a regional base URL block.
◈ Live Stat Cards (4)
Proxy for live data
| Card | ID | Source | Behavior |
|---|---|---|---|
| Active Detections | ls-threats | Initialized to 23, increments randomly every 4s | Animates from 0 on load |
| Devices Online | ls-agents | Initialized to 1,847 (mock) | Static after load animation |
| API Calls/min | ls-calls | 620–800 range, increments every 4s | Reflects Explorer usage too |
| Events Today | ls-events | 18,400–22,400 range, increments every 4s | Simulates syslog ingest rate |
🔮
Activates when proxy is live: stat cards pull from
GET /v1/detections?resolved=false, GET /v1/devices, and a live event counter endpoint.
📡 Live Detection Feed Ticker
Mock
A scrolling ticker bar below the stat cards cycles through 10 hardcoded detection event strings every 3 seconds. Severity is color-coded (red=critical, yellow=suspicious, green=resolved, cyan=device/API events). Displays UTC timestamp on the right.
🔮
Activates when proxy is live: ticker polls
GET /v1/detections?pageSize=10&resolved=false and streams real detection events with live timestamps.
◈ Static Info Cards (Second Row)
Always live
| Card | Value | Links To |
|---|---|---|
| API Version | v3.8 | Incident Management page |
| Swagger | OAS 3 | Swagger/OpenAPI page |
| Auth Method | OAuth2 | OAuth 2.0 Authentication page |
| Rate Limit | 10/s | Rate Limits page |
Section 05
05Authentication Panels
Three interlinked panels covering OAuth 2.0 theory, an interactive playground, and scope/permission mapping. These are the most frequently referenced pages during integration development.
🚫
Critical: The
client_credentials grant type was deprecated in ESET Connect 2.5 (May 2024) and fully removed. All integrations must use the password grant type only. Any existing scripts using client_credentials will fail with 400.
🔑 OAuth 2.0 Auth Panel
Shows the full OAuth 2.0 password grant flow with a 5-step visual diagram (credentials → POST token → JWT → Bearer header → response), token request/response code blocks, and a field reference table.
| Token Field | Type | Notes |
|---|---|---|
| access_token | string | JWT — include as Authorization: Bearer {token} |
| token_type | string | Always "Bearer" |
| expires_in | integer | 3600 seconds (1 hour) |
| refresh_token | string | Use grant_type=refresh_token to renew |
⚙ OAuth Playground Panel
Proxy for live auth
Side-by-side code blocks for the initial password grant and the refresh token flow. Shows exact HTTP request format, headers, and expected JSON response shape. Static reference only — no live token exchange until proxy is deployed.
Token Endpoint
POST https://{region}.connect.eset.com/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&username=api-user@domain.com
&password=<API_PASSWORD>
🔒 Scopes & Permissions Panel
| Domain | Required Permission | Subscription | Notes |
|---|---|---|---|
| Incident Management (v1) | Security Read | ESET Inspect | Basic detections only |
| Incident Management (v2) | Security Read+Write | ECOS | Extended detections + EDR rules |
| Device Management | Device Read/Write | All | Full endpoint control |
| Policy Management | Policy Read/Write | All | Policy CRUD operations |
| Quarantine Management | Quarantine Read/Write | ECOS | Added Connect 2.8 |
| Automation / Tasks | Task Read/Write | All | Manual trigger only via REST |
| User Management | User Admin | ECOS | Added Connect 3.3 |
| Identity | Identity Admin | All | Added Connect 3.5 |
Section 06
06Incident Management Panel
The most complex domain panel. Uses a 4-tab layout (Detections, Detection Groups, Incidents, EDR Rules) with endpoint lists, a JSON response example, a query parameter table, and a live Explorer shortcut.
⚠ Tabs & Sub-panels
| Tab | Endpoints Covered | Notes |
|---|---|---|
| Detections | GET /v1/detections, GET /v2/detections, batchGet, resolve, batchResolve | Default tab. Includes JSON response example and query params table. v2 is ECOS-only. |
| Detection Groups | GET/POST /v2/detection-groups, search, resolve group | v2 endpoint only. Group-level resolution. |
| Incidents | PATCH close/reopen, GET/POST/DEL comments | Added Connect 2.14. Comment management. |
| EDR Rules | CRUD /v1/edr-rules, rule exclusions CRUD | ESET Inspect / ECOS required. |
◈ Detection Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| pageSize | integer | Optional | 1–1000. Default 50. Controls how many detections are returned per call. |
| pageToken | string | Optional | Cursor from previous response's nextPageToken field for pagination. |
| resolved | boolean | Optional | Filter by resolution status. Omit to return all. |
| severity | string | Optional | HIGH, MEDIUM, LOW — filters by ESET severity classification. |
| deviceUuid | string | Optional | UUID of a specific device to scope detection results. |
Section 07
07Device Management Panel
Endpoint reference for all device operations: listing, isolation, scanning, group management, and batch operations. Includes a device object field reference and an isolate example.
💻 Device Endpoints
Try → Explorer
GET/v1/devicesList all managed devicesv3.7
GET/v1/devices/{deviceUuid}Get device details
POST/v1/devices:batchGetBatch fetch by UUID list
POST/v1/devices/{uuid}:moveMove to device groupv2.8
POST/v1/devices/{uuid}:renameRename devicev2.8
POST/v1/devices/{uuid}:isolateNetwork isolate device
POST/v1/devices/{uuid}:endIsolationEnd network isolation
POST/v1/devices/{uuid}:scanInitiate on-demand scan
GET/v1/device-groupsList device groups (static + dynamic)
GET/v1/device-groups/{uuid}/devicesDevices in a group
◈ Device Object Fields (v3.1+)
| Field | Type | Since | Notes |
|---|---|---|---|
| uuid | string | v1.0 | Unique device identifier — use in all device-scoped calls |
| name | string | v1.0 | Hostname as registered in ESET PROTECT |
| operatingSystem | object | v1.0 | Nested: name (string), version (string) |
| primaryLocalIpAddress | string | v3.1 | LAN IP address — added Connect 3.1 |
| publicIpAddress | string | v3.1 | WAN/public IP — added Connect 3.1 |
| isMuted | boolean | v3.1 | Whether device alerts are muted |
| isIsolated | boolean | v1.0 | Network isolation status |
| groupUuid | string | v1.0 | Current device group UUID |
Section 08
08Policy Management Panel
Full CRUD for security policies plus assignment and unassignment operations. Policies control ESET product settings across managed endpoints.
📋 Policy Endpoints
Try → Explorer
GET/v1/policiesList all policies
GET/v1/policies/{policyUuid}Get policy details and settings
POST/v1/policiesCreate new policy
PUT/v1/policies/{policyUuid}Update policy
DEL/v1/policies/{policyUuid}Delete policy
POST/v1/policies/{uuid}:assignAssign policy to devices/groups
POST/v1/policies/{uuid}:unassignRemove policy assignment
Section 09
09Quarantine Management Panel
Quarantine listing, restore, delete, and batch download. Requires ECOS subscription. Added in ESET Connect 2.8. Batch download added in Connect 2.9.
⚠
Quarantine Management requires an ECOS subscription. Available since ESET Connect 2.8 (August 2024). Batch download (2.9) returns password-protected archives.
🔒 Quarantine Endpoints
GET/v1/quarantined-objectsList quarantined objects
GET/v1/quarantined-objects/{uuid}Get object details
POST/v1/quarantined-objects/{uuid}:restoreRestore object from quarantine
DEL/v1/quarantined-objects/{uuid}Delete quarantined object
POST/v1/quarantined-objects:downloadDownload single object (password-protected)v2.9
POST/v1/quarantined-objects:batchDownloadDownload multiple objectsv2.9
Section 10
10Automation Panel
Create and execute device tasks via REST. Critical constraint: only manual trigger type is supported through REST API. Scheduled/periodic tasks require the ESET PROTECT Web Console.
🚫
REST API supports manual trigger only.
GetDeviceTasks does not display non-manual trigger types created via the console. Use ESET PROTECT Web Console for scheduled, periodic, or event-based triggers.
⚡ Automation Endpoints
GET/v1/tasksList device tasks
GET/v1/tasks/{taskUuid}Get task details
POST/v1/tasksCreate new task (manual trigger)
POST/v1/tasks/{uuid}:runExecute task immediately
DEL/v1/tasks/{taskUuid}Delete task
Section 11
11Additional API Domains
The dashboard covers 13 total API domains. The remaining domains beyond the core five are summarized here with their key endpoints and subscription requirements.
📦 Asset Management
Connect 2.8+
GET/v1/static-groupsList static device groups
POST/v1/static-groupsCreate static group
PUT/v1/static-groups/{uuid}Update static group
DEL/v1/static-groups/{uuid}Delete static group
GET/v1/hardware-inventoryHardware inventory
GET/v1/software-inventorySoftware inventory
💿 Installer Management
Connect 3.7+
GET/v1/installersList installer packages
POST/v1/installers:generateGenerate custom installer
GET/v1/installers/{uuid}:downloadDownload package
POST/v1/gpo-sccm-files:generateGenerate GPO/SCCM configv3.7
👤 Identity
Connect 3.5+
GET/v1/role-assignmentsList role assignments
POST/v1/role-assignmentsAssign role to user
DEL/v1/role-assignments/{uuid}Remove role assignment
POST/v2/role-assignments:revokeRoleBatch revoke rolev3.7
👥 User Management
ECOS — Connect 3.3+
GET/v1/usersList all users
POST/v1/usersCreate new user
PUT/v1/users/{userUuid}Update user details
DEL/v1/users/{userUuid}Delete user
POST/v1/users/{uuid}:resetPasswordReset password
📱 Mobile Device Mgmt
Connect 2.14+
GET/v1/mobile-devicesList enrolled mobile devices
POST/v1/mobile-devices/{uuid}:lockRemote lock
POST/v1/mobile-devices/{uuid}:wipeRemote wipe
POST/v1/mobile-devices/{uuid}:unenrollUnenroll from management
🌐 Network Access Protection
Connect 2.8+
GET/v1/ip-setsList IP sets
POST/v1/ip-setsCreate IP set
PUT/v1/ip-sets/{uuid}Update IP set (add/remove IPs)
DEL/v1/ip-sets/{uuid}Delete IP set
Section 12
12API Explorer Panel
Interactive request builder with mock response engine. Allows method + path selection, shows simulated JSON responses with syntax highlighting, and tracks a running call count.
⚡ Explorer Controls
| Control | Type | Behavior |
|---|---|---|
| Method selector | select#expM | GET, POST, PUT, DELETE, PATCH — cosmetic only in demo mode |
| Endpoint input | input#expU | Free-text URL path. Default: /v1/detections |
| SEND button | .exp-send | Calls buildRequest() → 350–850ms delay → mock response |
| Quick-pick buttons | .pbtn | 6 preset paths: detections, devices, quarantine, policies, tasks, /oauth/token |
| Response status | #expSt | Shows "200 OK" (green) after success, "Sending…" (amber) during request |
| Response meta | #expMeta | Shows: "Demo · {ms}ms · {KB}" after response |
◈ Mock Response Data
Demo mode
The MOCK{} object contains hardcoded response payloads for the following paths:
| Path Match | Sim. Latency | Response Shape |
|---|---|---|
| /v1/detections | 142ms | 2 detections array + nextPageToken |
| /v2/detections | 198ms | 1 detection (ECOS extended fields) |
| /v1/devices | 88ms | 3 devices (Windows, Windows Server, macOS) |
| /v1/quarantined-objects | 114ms | 2 quarantine objects |
| /v1/policies | 67ms | 3 policies with deviceCount |
| /v1/tasks | 55ms | 2 tasks (COMPLETED + RUNNING) |
| /oauth/token | 38ms | Full token response with demo JWT |
| (any other) | 95ms | Empty pagination wrapper + demo message |
🔮
Activates when proxy is live: SEND routes through the proxy to actual ESET Connect endpoints. Real JWT tokens, real payloads, real latency.
Section 13
13All API Endpoints
Complete reference of every ESET Connect endpoint covered by the dashboard, organized by domain. Base URL format: https://{region}.connect.eset.com
ℹ
Regional prefixes:
eu · us · jp · ca · de — Note: /v2/detections is NOT available in the JP region. Auth endpoint: https://{region}.connect.eset.com/oauth/token
◈ Auth + Core
POST/oauth/tokenAcquire access + refresh token (password grant)
POST/oauth/tokenRefresh access token (refresh_token grant)
⚠ Incident Management
GET/v1/detectionsList detections
GET/v2/detectionsExtended detections (ECOS)v2.9
GET/v1/detections/{detectionUuid}Get detection detail
POST/v1/detections:batchGetBatch fetch by UUID list
POST/v1/detections/{uuid}:resolveResolve single detection
POST/v1/detections:batchResolveResolve multiple detections
GET/v2/detection-groupsList detection groups
POST/v2/detection-groups/{uuid}:resolveResolve all in group
PATCH/v1/incidents/{uuid}:closeClose incident
PATCH/v1/incidents/{uuid}:reopenReopen incident
GET/v1/incidents/{uuid}/commentsList incident comments
POST/v1/incidents/{uuid}/commentsAdd comment
GET/v1/edr-rulesList EDR rules
POST/v1/edr-rulesCreate EDR rule
PUT/v1/edr-rules/{uuid}Update EDR rule
DEL/v1/edr-rules/{uuid}Delete EDR rule
GET/v1/edr-rule-exclusionsList rule exclusions
POST/v1/edr-rule-exclusionsCreate exclusion
💻 Device + Asset
GET/v1/devicesList devices
POST/v1/devices:batchGetBatch get
POST/v1/devices/{uuid}:isolateIsolate device
POST/v1/devices/{uuid}:endIsolationEnd isolation
POST/v1/devices/{uuid}:scanTrigger scan
POST/v1/devices/{uuid}:moveMove to group
POST/v1/devices/{uuid}:renameRename device
GET/v1/device-groupsList device groups
GET/v1/static-groupsList static groups
POST/v1/static-groupsCreate static group
GET/v1/hardware-inventoryHardware inventory
GET/v1/software-inventorySoftware inventory
🔒 Policy + Quarantine + Tasks
GET/v1/policiesList policies
POST/v1/policiesCreate policy
PUT/v1/policies/{uuid}Update policy
DEL/v1/policies/{uuid}Delete policy
POST/v1/policies/{uuid}:assignAssign to devices/groups
POST/v1/policies/{uuid}:unassignRemove assignment
GET/v1/quarantined-objectsList quarantine
POST/v1/quarantined-objects/{uuid}:restoreRestore object
POST/v1/quarantined-objects:batchDownloadBatch download
GET/v1/tasksList tasks
POST/v1/tasksCreate task
POST/v1/tasks/{uuid}:runExecute immediately
Section 14
14Configuration Fields
All configurable parameters used across the dashboard — static config in the mock engine, future proxy config, and the Syslog export settings displayed in the reference panel.
⚙ Dashboard Config (Current — Mock Mode)
| Field | Location | Default | Description |
|---|---|---|---|
| MOCK{} | script block | 7 paths | Hardcoded mock response map. Each key is a URL substring matched against the Explorer input. |
| lsThreats | JS var | 23 | Initial value for Active Detections stat card counter. |
| lsAgents | JS var | 1847 | Initial value for Devices Online stat card. |
| lsCalls | JS var | 620–800 | Randomized init for API Calls counter. Increments on every Explorer request. |
| lsEvents | JS var | 18400–22400 | Randomized init for Events Today counter. |
| tickFeed interval | setInterval | 3000ms | Detection feed ticker rotation interval. |
| liveStats interval | setInterval | 4000ms | Stat counter increment polling rate. |
| FEED_ITEMS[] | array | 10 items | Hardcoded detection feed strings for the live ticker. |
☁ Proxy Config (Required for Live Mode)
Proxy required
| Field | Type | Required | Description |
|---|---|---|---|
| ESET_REGION | string | Required | Data center region: eu, us, jp, ca, de. Determines base URL prefix. |
| ESET_USERNAME | string | Required | API user email for OAuth password grant. Create dedicated API user in ESET PROTECT console. |
| ESET_PASSWORD | string | Required | API user password. Store in proxy env vars — never in the HTML file. |
| PROXY_ENDPOINT | URL | Required | The relay endpoint the Explorer SEND button will target. Handles CORS and token injection. |
| TOKEN_REFRESH_BUFFER | integer | Optional | Seconds before expiry to refresh token. Recommended: 300 (5 min). Token TTL is 3600s. |
📡 Syslog Export Config (Reference Only)
| Setting | Value | Notes |
|---|---|---|
| Format | JSON | Use JSON for SIEM ingest. "ESET Notifications" format = plain text. |
| Envelope | Syslog | Standard RFC syslog envelope wrapper. |
| MinLogLevel | Information | Set to Information to collect all event types. Default may drop lower-severity events. |
| Destination | IP address | Elastic Agent IP, Sentinel forwarder, or other SIEM collector. |
| Port | 514 | Standard syslog port. Adjust if using TLS syslog (typically 6514). |
| Protocol | TCP | TCP recommended for reliability. UDP available but not recommended for security event data. |
| Checkboxes | All enabled | Select all log type checkboxes to ensure Detection, Firewall, HIPS, Audit, and ESET Inspect events are all forwarded. |
Section 15
15Rate Limits
ESET Connect enforces per-token rate limits. The dashboard includes a dedicated Rate Limits panel with animated progress bars and an exponential backoff code example.
⏱ Rate Limit Tiers
| Domain / Operation | Limit | Scope |
|---|---|---|
| All endpoints (default) | 10 req/s | Per access token |
| Detection listing | 5 req/s | Sustained read rate |
| Device operations | 3 req/s | Write operations (isolate, scan) |
| Automation tasks | 10 req/s | Write bursts allowed |
| OAuth token endpoint | Not specified | Avoid excessive token refreshes |
◈ 429 Handling
When rate-limited (HTTP 429), the API returns no Retry-After header. Use exponential backoff starting at 1s:
Python
def eset_get(url, headers, max_retries=5):
for attempt in range(max_retries):
r = requests.get(url, headers=headers)
if r.status_code == 429:
wait = 2 ** attempt # 1s, 2s, 4s, 8s, 16s
time.sleep(wait)
else:
return r
raise Exception("Max retries exceeded")
Section 16
16Proxy Activation Checklist
Step-by-step checklist to transition the dashboard from demo/mock mode to full live operation against the ESET Connect REST API. Complete in order — each step depends on the previous.
🔮
Everything in this section activates the following features simultaneously: real API responses in the Explorer, live stat card data, real detection feed events, actual token acquisition in the OAuth playground, and the "All Systems Operational" status chip becoming a live health check.
1
Create dedicated ESET API user account
In ESET PROTECT Web Console → More → Users → create a service account with minimum required permissions. Do not use a personal admin account. Document the username and store the password in a secrets manager (not the dashboard file).
2
Confirm region and base URL
Identify your ESET PROTECT Cloud data center region (eu / us / jp / ca / de). Verify the correct base URL by checking your ESET PROTECT Web Console URL — it will contain the region prefix. Note:
/v2/detections is NOT available in the JP region.3
Validate OAuth token acquisition
Run a manual test:
curl -X POST https://{region}.connect.eset.com/oauth/token -d "grant_type=password&username=...&password=..." — confirm you receive access_token in the response. A 400 error indicates the deprecated client_credentials grant is being used.4
Deploy CORS proxy / relay service
Browser security blocks direct cross-origin requests from the HTML file to ESET Connect. Deploy a lightweight relay (Node/Express, Cloudflare Worker, or equivalent) that: accepts requests from the dashboard, injects the Authorization header, forwards to ESET Connect, and returns the response. Store ESET credentials in the proxy's env vars only.
5
Implement token refresh logic in proxy
Access tokens expire after 3600 seconds. The proxy must cache the token and use the refresh_token grant to renew it proactively (recommended: 300s before expiry). Failure to handle this will cause 401 errors after 1 hour of operation.
6
Update buildRequest() to target proxy endpoint
In
stack-eset.html, modify the buildRequest() function to POST to PROXY_ENDPOINT + expU.value instead of the local getMock() function. Add proper error handling for 401, 403, 429, and 5xx responses.7
Wire live stat card endpoints
Replace the
initLiveStats() mock initialization with real API calls: Active Detections → GET /v1/detections?resolved=false&pageSize=1 (use totalItems from pagination), Devices Online → GET /v1/devices?pageSize=1.8
Wire live detection feed
Replace
FEED_ITEMS[] / tickFeed() with a polling interval that calls GET /v1/detections?pageSize=5&resolved=false and populates the ticker with real detection titles, severity colors, and device names.9
Remove demo bar and update status chip
Remove the
#ktc-demo-bar element and its styles. Update the "PROXY PENDING" topbar chip to "LIVE" with green styling. Remove the ⚠ DEMO VERSION banner.10
End-to-end smoke test
Verify: (1) Explorer SEND returns real JSON with correct schema, (2) stat cards show live counts, (3) detection feed shows real events, (4) OAuth playground produces a valid token, (5) no CORS errors in browser console, (6) token refresh completes without 401 after 60 minutes.
Section 17
17Known Limitations
Documented constraints of the ESET Connect API and the current dashboard implementation. These are not bugs — they are architectural or subscription boundaries to plan around.
client_credentials grant type removed
Deprecated in Connect 2.5 (May 2024), fully removed. Any existing automation using
grant_type=client_credentials will fail with HTTP 400. Migration to password grant is required for all integrations./v2/detections not available in Japan (JP) region
The extended detections endpoint is region-gated. JP tenants must use
/v1/detections only. This also means JP tenants cannot access ECOS-extended detection fields (triggeringEvent, commandLine) via REST.Automation: REST supports manual trigger only
Tasks created via REST API are restricted to immediate (manual) execution only. Periodic, scheduled, and event-triggered task types are not creatable or visible via REST.
GetDeviceTasks will not return non-manual tasks created in the Web Console.Several domains require ECOS subscription
Quarantine Management, v2 Detections/EDR rules, and User Management all require an ECOS-tier subscription. Calls against these endpoints without ECOS will return 403 Forbidden. The dashboard does not gate these panels by subscription — they always display.
No WebSocket / real-time push support
ESET Connect has no WebSocket or server-sent events endpoint. All "live" data requires polling. Syslog is the only true push mechanism, and it operates over TCP — not HTTP — so it cannot be consumed directly by a browser dashboard.
Access tokens expire in 1 hour with no silent refresh
JWTs issued by the password grant expire after exactly 3600 seconds. There is no automatic silent refresh in the browser — the proxy must actively manage refresh_token cycling. A dropped session mid-shift results in 401 errors until a new token is acquired.
Dashboard not optimized for mobile/small screens
The dual-panel sidebar + main content layout is designed for desktop use (1024px+ wide). The sidebar collapses the content area on screens narrower than ~768px. No responsive breakpoints have been implemented.
Search routes to first page match only
The topbar keyword search navigates to the first matching page section and stops. It does not highlight matching text within pages or show multiple results. Partial keyword matches on 2+ character strings may produce unexpected navigation.
Section 18
18Troubleshooting
Common issues encountered during development, integration, and production operation of the ESET Connect dashboard and API.
HTTP 400 on /oauth/token — "unsupported_grant_type"
▶
You are using
grant_type=client_credentials which was removed in Connect 2.5. Change to grant_type=password and include username and password fields. Verify you are using Content-Type: application/x-www-form-urlencoded (NOT JSON body).
HTTP 401 — "Unauthorized" on API calls
▶
1) Token may have expired — access tokens expire after 3600s. Re-authenticate or implement refresh token cycling in the proxy. 2) Authorization header may be malformed — must be exactly
Authorization: Bearer {token} with a space (not Basic, not Token). 3) Check that the API user account has not been disabled in ESET PROTECT.
HTTP 403 — "Forbidden" on quarantine or v2 detection endpoints
▶
These endpoints require an ECOS subscription. If your ESET PROTECT Cloud license is not ECOS tier, these endpoints will always return 403. Verify your subscription level in the ESET PROTECT Web Console under licensing. Also confirm the API user has the correct role permissions (Security Read+Write for v2 detections, Quarantine Read/Write for quarantine).
HTTP 404 on /v2/detections (Japan region)
▶
The
/v2/detections endpoint is not available in the JP region. Use /v1/detections instead. Verify you are using the jp.connect.eset.com base URL for Japan-region tenants.
HTTP 429 — Rate limit exceeded
▶
ESET Connect does not return a
Retry-After header on 429. Implement exponential backoff: wait 2^attempt seconds before retrying (1s, 2s, 4s, 8s, 16s). The global rate limit is 10 req/s per token. For high-throughput scenarios, consider batching calls using :batchGet endpoints where available.
CORS error when calling ESET Connect from the browser
▶
ESET Connect does not allow direct browser-to-API calls (CORS blocked). This is by design. You must deploy a proxy/relay service that the browser sends requests to, which then forwards them to ESET Connect server-side. The proxy adds the
Authorization header and handles CORS headers for browser compatibility. See Section 16, Step 4.
Explorer SEND button shows "200 OK" but response looks wrong
▶
In demo mode, ALL requests return
200 OK with mock data regardless of path or method. This is expected — the mock engine does not validate the request. Check #expMeta which will show "Demo · {ms}ms" indicating mock mode. To get real responses, the proxy must be deployed and buildRequest() must be updated to target the proxy endpoint.
Stat counters show wrong numbers or don't animate
▶
Stat counters rely on
animateCount() which uses requestAnimationFrame. This may not fire if the tab is in the background on load. Check that initLiveStats() is called from the DOMContentLoaded event or window.onload. The setInterval ticker requires the page to stay in the foreground — browsers throttle intervals on backgrounded tabs.
Syslog events not reaching SIEM after configuration
▶
1) Verify all log type checkboxes are selected in ESET PROTECT Advanced Settings → Syslog Server (not just "Detections" — enable all). 2) Confirm
MinLogLevel is set to Information (not Warning or Error). 3) Check that TCP port 514 is open between ESET PROTECT Cloud egress IPs and your SIEM collector — outgoing IPs vary by region and were updated in Connect 2.13. 4) Heartbeat messages are sent every 60 minutes (Connect 3.4+) — if you haven't received a heartbeat, the connection is not persistent.
Sidebar navigation not scrollspy-syncing to content position
▶
The dashboard uses click-based navigation only — there is no IntersectionObserver or scrollspy. Active sidebar state is set by clicking a nav item (
go(id)), not by scrolling. Within a page, all content is in a single scrolling view. This is a documented limitation — scrollspy with auto-sync requires extending the JS to use IntersectionObserver on the .main scroll container.