Xtremio REST Call with not Basic Auth

but your endpoint is using https, so it shouldn't be clear text ?

Currently there is no way around this - however it's likely less of an issue than you might think.

The credentials are never sent across the network in plain text - the XtremIO REST API is only available via HTTPS/SSL, so everything is ALWAYS encrypted over the wire.

As you've said, key-based with is supported for the CLI - but fundamentally that doesn't change the security posture at all.  You've just replaced one token that allows you access to the system (the password), with another (the key).  Sure, the key is a little harder to memorize, but in the context of a script that's not really relevant.

The simple fact is that in order to access the API you need *something* that can be used for authentication - and the script needs to have that something.  It doesn't really matter if that a password, a key, or a token - the security level is fundamentally the same.

If you don't want the password to actually be visible in the script then you can encode/encrypt it in some way or other.  Again this doesn't really change the security level as the script needs to be able to decode/decrypt the password - but it does add a little more effort to using it...

Thank you Scott for your inputs.

Dynamox - I tested read-only account for snapshot refresh, it won't like that privilage.

Unauthorized command 'refresh_data' for user 'syncuser'. At least 'configuration' role is required

ah sorry, i missed that you are making changes to array. I have read-only account because i am only collecting performance/capacity from the API.