It seems like your browser didn't download the required fonts. Please revise your security settings and try again.


As of March 1, 2022, the legacy Barracuda Essentials Security, Compliance, and Complete editions are no longer available for purchase. Only existing customers can renew or add users to these plans.

Following October 30, 2022, the documentation and trainings will no longer be updated and will contain outdated information.

For more information on the latest Email Protection plans, see Barracuda Email Protection.

To update your bookmarks, see the following for the latest documentation and trainings:

Note that MSP customers should continue to follow Barracuda Essentials for MSPs.

API Overview

  • Last updated on

The Barracuda Email Security Service API is a beta release and not yet generally available. The APIs in the beta endpoint are currently in preview and subject to change.

The Barracuda Email Security Service REST API provides the ability to interact with the Barracuda Email Security Service (ESS). This article gives a brief description of REST API and the API methods you can use to access your Barracuda Email Security Service. 

Representational State Transfer (REST) is a stateless architecture that runs over HTTP. REST API is a simple web service API you can use to interact with Barracuda Email Security Service. For more information on REST API, visit

The Barracuda Email Security Service API is currently only available for accounts in the US region.

Getting Started

You will need an active Barracuda Cloud Control account and your application registered in the Barracuda Token Service in order to receive the required Client ID and Client Secret. The Client Secret is used to sign and validate access tokens for authentication and to gain access to API endpoints.

For more details, review our Getting Started information. 

Authorization Requirements

All endpoints will require an access token. Access tokens are generated from the token endpoint.

Use the API

The base URL is:

The following endpoints are available:



Sometimes ESS API requests will return a large number of results. Rather than retrieve them all at once, which may affect your application’s performance, you can use paging to retrieve the results in batches. For more information, see Paging.


The scope constrains the endpoints to which a client has access, and whether a client has read or write access to an endpoint. 

As a general rule, choose the most restrictive scope possible and avoid requesting scopes that your application does not need. 

Available scopes:

ess:account:readAllow read-only access to account information.

HTTP response codes

HTTP codeStatusDescription
200OKThe request was successful.
400Bad RequestThe request was invalid and/or not formed properly.
401UnauthorizedThere is a missing or incorrect API token in header.
403ForbiddenThe client did not have permission to access the requested resource.
404Not FoundThe URI requested is invalid or the resource requested does not exists.
406Not AcceptableThe request specified an invalid format.
410GoneThis resource is gone. Used to indicate that an API endpoint has been turned off.
429Too Many RequestsReturned when a request cannot be served due to the application’s rate limit having been exhausted for the resource.
500Internal Server ErrorSomething went wrong.
502Bad GatewayThe service is down or being upgraded. Try again later.
503Service UnavailableThe service is up, but overloaded with requests. Try again later.
504Gateway TimeoutServers are up, but the request couldn’t be serviced due to some failure within our stack. Try again later.