CCNA Apis Questions

42 questions · Apis topic · All types, answers revealed

1
MCQeasy

A Python script uses the Cisco Webex API to list all rooms. The response includes pagination via the 'Link' header with 'rel="next"'. What is the correct way to retrieve the next page of rooms?

A.Parse the 'Link' header for the URL with 'rel="next"' and send a GET request to that URL.
B.Increment a page counter and append '?page=2' to the original URL.
C.Use the total count returned in the response to calculate the offset.
D.Send a POST request to the same endpoint with the 'cursor' parameter.
AnswerA

This is the correct method for cursor-based pagination.

Why this answer

Option A is correct because the Webex API uses HTTP Link headers for pagination, as specified in RFC 5988. The 'Link' header contains a URL with 'rel="next"' that points directly to the next page of results. To retrieve the next page, you must parse this header, extract the URL, and send a GET request to that URL.

This is the standard approach for cursor-based or token-based pagination, which is common in RESTful APIs that avoid offset-based pagination for consistency.

Exam trap

Cisco often tests the misconception that pagination always uses simple page numbers or offsets, but the trap here is that the Webex API uses the Link header with 'rel="next"' for cursor-based pagination, and candidates may incorrectly assume a traditional page counter or offset approach.

How to eliminate wrong answers

Option B is wrong because the Webex API does not use simple page counters; incrementing a page number and appending '?page=2' assumes a fixed page-based pagination scheme that is not supported by the API. Option C is wrong because the Webex API does not return a total count in the response for pagination; even if it did, calculating an offset would be unreliable due to potential data changes between requests. Option D is wrong because the Webex API uses GET requests for pagination, not POST requests, and the 'cursor' parameter is not part of the standard pagination mechanism; the correct mechanism uses the 'Link' header with 'rel="next"'.

2
MCQhard

A network engineer attempts to modify the IP address of GigabitEthernet1/0/1 using the Cisco IOS-XE RESTCONF API. They send a PUT request with a modified JSON body but receive a 400 Bad Request error. What is the most likely cause?

A.The Accept header should be application/json.
B.The Content-Type header is missing or set incorrectly.
C.The API is not enabled on the device.
D.The request body does not include the full resource hierarchy.
AnswerD

RESTCONF PUT requires the entire data tree for the resource. Omitting parent containers leads to 400.

Why this answer

D is correct because RESTCONF requires the request body to contain the full resource hierarchy (e.g., the entire YANG data tree for the interface) when using PUT, as PUT is a full replacement operation. A 400 Bad Request error typically indicates a malformed request, and omitting mandatory parent or sibling nodes in the JSON body violates the YANG schema, causing the server to reject the request.

Exam trap

Cisco often tests the distinction between PUT (full replacement) and PATCH (partial update) in RESTCONF, and the trap here is that candidates mistakenly think a 400 error is due to missing headers or API availability, rather than recognizing that PUT requires the complete resource hierarchy in the request body.

How to eliminate wrong answers

Option A is wrong because the Accept header specifies the desired response format, not the request body format; a missing or incorrect Accept header would cause a 406 Not Acceptable error, not a 400. Option B is wrong because a missing or incorrect Content-Type header (e.g., not application/yang-data+json) would also result in a 415 Unsupported Media Type error, not a 400. Option C is wrong because if the API were not enabled, the device would return a 404 Not Found or a connection refusal, not a 400 Bad Request.

3
MCQmedium

A network engineer is using the Cisco Meraki API to retrieve a list of SSIDs for a specific network. The API returns an HTTP 200 status but an empty array for the SSIDs. Which of the following is the most likely cause?

A.The network exists but has no SSIDs configured.
B.The network ID is incorrect.
C.The API key is invalid.
D.The request body is malformed.
AnswerA

Empty array indicates no SSIDs, which is valid.

Why this answer

An HTTP 200 status indicates the request was successfully processed by the Meraki API, meaning the API key, network ID, and request format were all valid. An empty array for SSIDs specifically means the network exists and the API queried it correctly, but no SSIDs have been configured on that network. This is the expected behavior when a network has no wireless profiles defined.

Exam trap

Cisco often tests the misconception that an HTTP 200 always means data exists, but the trap here is that a successful API response can legitimately return an empty array when the resource has no configured items.

How to eliminate wrong answers

Option B is wrong because an incorrect network ID would result in an HTTP 404 (Not Found) or HTTP 400 (Bad Request) error, not a 200 with an empty array. Option C is wrong because an invalid API key would return an HTTP 401 (Unauthorized) status, not a successful 200 response. Option D is wrong because a malformed request body would typically cause an HTTP 400 (Bad Request) error, as the Meraki API validates the request structure before processing.

4
MCQeasy

When designing a REST API client for a Cisco DNA Center deployment, which authentication method should be used to obtain a token for subsequent API calls?

A.OAuth 2.0 client credentials grant.
B.API key in the request header.
C.HTTP Basic authentication to obtain a token.
D.Client certificate in the request.
AnswerC

Correct method: POST with basic auth to get token.

Why this answer

Cisco DNA Center uses HTTP Basic authentication to obtain a token. The client sends a POST request to the /dna/system/api/v1/auth/token endpoint with a Base64-encoded string of the username and password in the Authorization header. The server returns a token that must be included in subsequent API calls via the X-Auth-Token header.

Exam trap

Cisco often tests the specific authentication flow for DNA Center, and the trap here is that candidates confuse the token-based approach with OAuth 2.0 or API keys, which are used by other Cisco platforms like Meraki or Webex.

How to eliminate wrong answers

Option A is wrong because OAuth 2.0 client credentials grant is not supported by Cisco DNA Center; it uses a simpler token-based authentication flow. Option B is wrong because an API key in the request header is not the method used to obtain a token; DNA Center requires username/password authentication to generate a token. Option D is wrong because client certificate authentication is not the standard method for obtaining a token in DNA Center; it relies on HTTP Basic authentication for token generation.

5
MCQeasy

You are a junior network developer tasked with automating device inventory retrieval using the Cisco Meraki Dashboard API. You have already generated an API key with the appropriate scopes and have tested it successfully with simple GET requests. However, when you attempt to retrieve the list of all devices in your organization via the 'GET /organizations/{organizationId}/devices' endpoint, you receive a 403 Forbidden error. You verify that the API key is correctly included in the request header as 'X-Cisco-Meraki-API-Key'. You also confirm that the organization ID is correct. You are able to reach the Meraki Dashboard API server from your environment, as other endpoints (e.g., 'GET /organizations') work fine. What is the most likely cause of the 403 error, and what should you do to resolve it?

A.The network firewall is blocking the request; check firewall logs and allow outbound traffic to the Meraki API.
B.The API key lacks the required permissions; regenerate the API key with full read access for devices.
C.The request should use POST instead of GET; change the HTTP method to POST to retrieve device data.
D.The API endpoint URL is incorrect; verify the exact path and version in the API documentation.
AnswerB

Correct. The 403 indicates insufficient permissions for the specific endpoint, despite the key being valid for other endpoints.

Why this answer

A 403 Forbidden error specifically indicates that the server understood the request but refuses to authorize it. Since other endpoints like 'GET /organizations' work, network connectivity and API key validity are confirmed. The most likely cause is that the API key lacks the required scope or permission to access the 'GET /organizations/{organizationId}/devices' endpoint.

Regenerating the API key with full read access (including device inventory) resolves this, as Meraki API keys are scoped at creation time and cannot be modified after generation.

Exam trap

Cisco often tests the distinction between authentication (401) and authorization (403) errors, where a 403 means the key is valid but lacks permissions, tricking candidates into blaming network issues or incorrect endpoints.

How to eliminate wrong answers

Option A is wrong because a network firewall blocking the request would typically result in a timeout or connection error (e.g., 0 bytes received), not a 403 Forbidden HTTP response from the server. Option C is wrong because the Meraki Dashboard API uses GET for retrieving data (as per RESTful conventions), and POST is used for creating resources; changing the method would return a 405 Method Not Allowed or 404, not a 403. Option D is wrong because the endpoint URL is verified correct (the organization ID is confirmed, and other endpoints work), and a wrong URL would produce a 404 Not Found, not a 403 Forbidden.

6
MCQeasy

A developer is integrating a monitoring application with Cisco Meraki API to retrieve network health data. The application needs to ensure it doesn't exceed the API rate limit of 5 requests per second. What is the best practice for handling this limitation?

A.Increase the rate limit by contacting Cisco support.
B.Use a single API key for all requests to reduce overhead.
C.Implement exponential backoff and retry after receiving a 429 status code.
D.Send all requests in a loop without delay to complete quickly.
AnswerC

Exponential backoff is the standard technique to handle rate limits, gradually increasing wait time between retries.

Why this answer

Option C is correct because the Cisco Meraki API returns HTTP 429 (Too Many Requests) when the rate limit of 5 requests per second is exceeded. Implementing exponential backoff—where the application waits progressively longer intervals between retries—is the standard best practice for handling rate limits gracefully, as it reduces server load and increases the chance of successful retries without overwhelming the API.

Exam trap

Cisco often tests the misconception that rate limits can be bypassed by technical tricks like using a single API key or sending requests faster, when the correct approach is to respect the 429 response with exponential backoff.

How to eliminate wrong answers

Option A is wrong because the rate limit is a fixed server-side policy enforced by Cisco Meraki; contacting support will not increase it, and the developer must work within the documented limits. Option B is wrong because using a single API key does not affect the rate limit—rate limiting is applied per API key or per organization, and a single key cannot reduce overhead or bypass the 5 requests per second cap. Option D is wrong because sending all requests in a loop without delay will immediately trigger 429 responses, causing all requests to fail and potentially leading to temporary IP blocking or account throttling.

7
MCQeasy

A DevOps engineer is using the Cisco Meraki API to retrieve a list of networks. Which HTTP method should be used?

A.PUT
B.POST
C.DELETE
D.GET
AnswerD

GET is designed to retrieve resources.

Why this answer

The GET method is the correct HTTP verb for retrieving a list of networks from the Cisco Meraki API because it is a read-only operation that fetches existing resources without modifying server state. The Meraki API follows RESTful conventions where GET requests are used to query collections or individual resources, and the endpoint for listing networks is typically a GET to /organizations/{organizationId}/networks.

Exam trap

Cisco often tests whether candidates confuse POST with GET for read operations, especially when the API documentation uses POST for non-standard actions like generating reports or running queries, leading candidates to incorrectly assume POST is acceptable for retrieving lists.

How to eliminate wrong answers

Option A (PUT) is wrong because PUT is used to update or replace an existing resource, not to retrieve data; using PUT for a read operation would violate REST semantics and could cause unintended side effects. Option B (POST) is wrong because POST is used to create a new resource or submit data for processing, not to fetch a list; the Meraki API uses POST for actions like creating networks or generating API keys. Option C (DELETE) is wrong because DELETE is used to remove a resource, which is the opposite of retrieving a list; sending a DELETE to a collection endpoint would attempt to delete the entire collection.

8
MCQeasy

A script is using the Cisco Meraki API to fetch a list of organizations. The script needs to authenticate with an API key. Where should the API key be included in the request?

A.In the HTTP Authorization header using Bearer scheme.
B.In the request body as a JSON field.
C.In the request URL as a query parameter.
D.In the request header as 'X-Cisco-Meraki-API-Key'.
AnswerD

Meraki API uses the custom header 'X-Cisco-Meraki-API-Key' for API key authentication.

Why this answer

The Cisco Meraki API requires the API key to be sent in a custom HTTP header named 'X-Cisco-Meraki-API-Key'. This is a vendor-specific authentication mechanism, not a standard Bearer token. Including the key in this header ensures the request is authenticated without exposing the key in the URL or body.

Exam trap

Cisco often tests the fact that many APIs use standard Bearer tokens, but the Meraki API specifically uses a custom header, so candidates mistakenly choose the Authorization header option without reading the vendor-specific documentation.

How to eliminate wrong answers

Option A is wrong because the Meraki API does not use the standard HTTP Authorization header with the Bearer scheme; it uses a custom header. Option B is wrong because API keys should never be sent in the request body as a JSON field, as this would require parsing the body for authentication and violates RESTful stateless design. Option C is wrong because including the API key as a query parameter in the URL exposes it in logs, browser history, and network traffic, which is a security risk and not supported by the Meraki API.

9
MCQmedium

A developer calls Cisco DNA Center API to get device details and receives the JSON response shown. The device 'Switch-A' is listed but the status is 'unreachable'. Which Cisco DNA Center API endpoint was most likely used?

A./dna/intent/api/v1/network-device/{id}
B./dna/intent/api/v1/site/{siteId}/device
C./dna/intent/api/v1/device-health
D./dna/intent/api/v1/network-device
AnswerA

This endpoint retrieves a single device by ID, matching the response structure.

Why this answer

Option A is correct because the endpoint /dna/intent/api/v1/network-device/{id} retrieves detailed information for a specific network device, including its management IP address, reachability status, and other attributes. The JSON response showing 'Switch-A' with status 'unreachable' indicates a single-device query, which matches the path parameter {id} used to target a particular device. This endpoint returns a device-level status field (e.g., 'reachabilityStatus') that directly reflects the 'unreachable' value seen in the response.

Exam trap

Cisco often tests the distinction between list endpoints (e.g., /network-device) and detail endpoints (e.g., /network-device/{id}), where candidates mistakenly choose the list endpoint because they see a device name in the response, but the presence of a specific status like 'unreachable' for a single device indicates the ID-specific endpoint was used.

How to eliminate wrong answers

Option B is wrong because /dna/intent/api/v1/site/{siteId}/device returns a list of devices associated with a specific site, not a single device's detailed status; it would not include the 'unreachable' status for an individual device in the same granular way. Option C is wrong because /dna/intent/api/v1/device-health returns aggregated health scores (e.g., overall health, network, wireless) for devices, not the raw reachability status like 'unreachable' for a single device. Option D is wrong because /dna/intent/api/v1/network-device (without an ID) returns a list of all network devices, each with summary information, but the question's response shows details for a single device (Switch-A) with its status, which requires the ID-specific endpoint.

10
MCQmedium

Refer to the exhibit. A developer sent a POST request to https://apic-ip/api/mo/uni/tn-testtenant.json with a JSON body missing the name attribute. What should the correct JSON body include?

A.{"fvTenant": {"name": "testtenant"}}
B.{"attributes": {"name": "testtenant"}}
C.{"fvTenant": {"attributes": {"name": "TestTenant"}}}
D.{"fvTenant": {"attributes": {"name": "testtenant"}}}
AnswerD

Correctly nests the 'name' property under 'attributes' inside 'fvTenant'.

Why this answer

Option D is correct because the Cisco APIC REST API requires the JSON body for creating a tenant to follow the object model structure: the top-level key is the managed object class (fvTenant), which contains an 'attributes' object with the 'name' property. The name must match the tenant name in the URL (testtenant), and the API expects lowercase for the name value unless the object model specifies otherwise.

Exam trap

Cisco often tests the requirement to nest attributes inside the managed object class, and the trap here is that candidates either omit the 'attributes' wrapper entirely (Option A) or place 'attributes' at the top level (Option B), both of which are common mistakes when transitioning from simpler REST APIs to the APIC's structured object model.

How to eliminate wrong answers

Option A is wrong because it omits the required 'attributes' wrapper; the APIC API expects the 'name' attribute to be nested inside an 'attributes' object within the managed object. Option B is wrong because it uses 'attributes' as the top-level key instead of the managed object class 'fvTenant', which violates the APIC REST API's object model hierarchy. Option C is wrong because it capitalizes 'TestTenant' in the name value, but the URL path uses lowercase 'testtenant', and the APIC API is case-sensitive for tenant names, so this would either create a different tenant or fail.

11
MCQeasy

A network engineer is writing a Python script to interact with Cisco DNA Center. After successfully authenticating and receiving a token, what header must be included in subsequent API requests?

A.In a custom header
B.In the URL query string
C.In the request body
D.In the Authorization header as Bearer
AnswerD

The standard way is to include 'Authorization: Bearer <token>' in the header.

Why this answer

Option D is correct because Cisco DNA Center uses token-based authentication following the OAuth 2.0 framework. After obtaining a token via the /dna/system/api/v1/auth/token endpoint, the token must be included in the Authorization header using the Bearer scheme (e.g., 'Authorization: Bearer <token>') for all subsequent API requests to prove the client's identity and authorization.

Exam trap

Cisco often tests the distinction between authentication (getting the token) and authorization (using the token), and the trap here is that candidates might think the token is sent in the request body or a custom header because they confuse it with API keys or session cookies, but the correct standard is the Authorization header with Bearer.

How to eliminate wrong answers

Option A is wrong because while you can technically place the token in a custom header, Cisco DNA Center's API specification explicitly requires the token in the Authorization header; using a custom header would result in a 401 Unauthorized error. Option B is wrong because passing the token in the URL query string is insecure (it can be logged, cached, or exposed in browser history) and is not supported by Cisco DNA Center's REST API design. Option C is wrong because the token is not sent in the request body; the body is reserved for payload data (e.g., JSON parameters for creating a site or device), and placing the token there would violate the standard HTTP authentication mechanism.

12
MCQhard

A Python script uses the Cisco Meraki API to create a new network and then immediately attempts to configure an SSID on that network. The SSID creation fails with a 400 error indicating 'network is not ready'. What is the most likely cause?

A.The network is not fully provisioned yet; a delay is needed.
B.The API rate limit has been exceeded.
C.The API key does not have write access to networks.
D.The SSID name contains invalid characters.
AnswerA

Asynchronous provisioning requires waiting.

Why this answer

The Meraki API returns a 400 error with 'network is not ready' because creating a network is an asynchronous operation. The network's underlying infrastructure (e.g., virtual LANs, DHCP scopes, firewall rules) must be fully provisioned before it can accept SSID configurations. Attempting to configure an SSID immediately after creation fails because the network is still in a 'pending' or 'provisioning' state, requiring a polling delay or retry logic.

Exam trap

Cisco often tests the misconception that API calls are synchronous and that a successful creation response means the resource is immediately usable, ignoring the asynchronous provisioning that occurs in cloud-managed platforms like Meraki.

How to eliminate wrong answers

Option B is wrong because exceeding the API rate limit would return a 429 (Too Many Requests) error, not a 400 with 'network is not ready'. Option C is wrong because an API key lacking write access would result in a 403 (Forbidden) error, not a 400. Option D is wrong because invalid characters in an SSID name would cause a 400 error with a validation-specific message (e.g., 'Invalid SSID name'), not a generic 'network is not ready'.

13
MCQhard

A developer is troubleshooting an API call to Cisco SD-WAN vManage. The request fails with HTTP 400 status and the response body: '{"error": "Bad Request", "details": "Invalid JSON: unexpected token at position 42"}'. Which tool or technique should the developer use to quickly identify the syntax error?

A.Use a JSON validator to check the request body.
B.Increase the timeout value for the HTTP request.
C.Check the API key validity in the header.
D.Review the API documentation for required fields.
AnswerA

A JSON validator can identify syntax errors such as unexpected tokens.

Why this answer

The HTTP 400 status code indicates a client-side error, and the response body explicitly states 'Invalid JSON: unexpected token at position 42'. This means the request body contains malformed JSON. A JSON validator (e.g., jsonlint.com, jq, or a library like `json.loads()` in Python) will parse the JSON and pinpoint the exact syntax error (e.g., a missing comma, extra brace, or unescaped quote) at the specified position, allowing the developer to fix the request body quickly.

Exam trap

Cisco often tests the ability to map specific HTTP status codes and error messages to the correct troubleshooting tool, and the trap here is that candidates may confuse a JSON syntax error (400) with an authentication error (401/403) or a missing-field error (422), leading them to choose options like checking the API key or reviewing documentation instead of using a JSON validator.

How to eliminate wrong answers

Option B is wrong because increasing the timeout value addresses network latency or server delays, not a syntax error in the request body that causes an immediate 400 response. Option C is wrong because checking the API key validity would be relevant for a 401 Unauthorized or 403 Forbidden error, not a 400 Bad Request with a JSON parsing error. Option D is wrong because reviewing API documentation for required fields would help if the error were about missing or invalid fields (e.g., 422 Unprocessable Entity), but the error message explicitly points to a JSON syntax error, not a schema validation issue.

14
MCQhard

A large enterprise uses Cisco Meraki for their wireless and switching infrastructure. The network team has developed a Python script that uses the Meraki API to automatically update SSID configurations across all networks. The script has been running successfully for months, performing daily updates to SSID settings such as names, passwords, and VLAN assignments. Recently, the script started failing with the following error message: '{"errors":["This operation is not allowed for this network"]}'. The team has verified the following: the API key is still valid and has access to the full organization, the network IDs used in the script are correct and the networks are active, and no changes have been made to the script code. The script uses the PUT endpoint '/networks/{networkId}/wireless/ssids/{number}' to update SSIDs. What is the most likely cause of the failure?

A.The Meraki API rate limit has been exceeded, and the request is being rejected.
B.The network(s) have been moved to a different organization in the Meraki dashboard.
C.The API key has been downgraded to read-only access due to a security compliance audit.
D.The SSID number used in the request does not exist on the target network.
AnswerB

When a network is moved to another organization, the original API key loses access, causing this error.

Why this answer

Option B is correct. The error 'This operation is not allowed for this network' typically occurs when the API key does not have permission on the network, often because the network has been moved to a different organization. Option A would result in a 429 Too Many Requests error.

Option C would produce a 403 Forbidden error with a different message. Option D would yield a 404 Not Found error.

15
Matchingmedium

Match each YAML structure to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Scalar mapping

List item

Comment line

Nested mapping

Block scalar (literal)

Why these pairings

YAML syntax basics.

16
MCQmedium

Refer to the exhibit. A network engineer runs a script that queries the Cisco DNA Center site health API. The response shows Branch1 with a healthScore of 10. What is the most likely action to improve Branch1's health?

A.Investigate the network devices and connectivity at Branch1.
B.Increase the number of clients at Branch1.
C.Check the API authentication token.
D.Use a different API version.
AnswerA

Low health score indicates problems at the site.

Why this answer

A healthScore of 10 on a scale of 0–100 indicates severe degradation, typically caused by network device failures, link flaps, or connectivity loss. Investigating the network devices and connectivity at Branch1 is the correct first step to identify and resolve the root cause, such as a down switch or a routing issue.

Exam trap

Cisco often tests the misconception that API response issues (like authentication or version) are the cause of low health scores, when in fact the API is correctly reporting a real network fault that must be investigated on the infrastructure side.

How to eliminate wrong answers

Option B is wrong because increasing the number of clients would likely worsen the health score by adding more load to an already failing network, and client count is not a direct lever for improving device or site health. Option C is wrong because the script successfully queried the API and received a valid response (healthScore of 10), so the authentication token is valid and not the issue. Option D is wrong because the API version is irrelevant to the health score value; using a different version would not change the underlying network condition that caused the low score.

17
MCQhard

A team is designing a CI/CD pipeline that uses the Cisco ACI REST API to deploy tenant policies. Which best practice should be followed for secure credential management?

A.Store credentials in plain text in the pipeline configuration
B.Use a secrets management service and reference it in the pipeline
C.Hardcode credentials in the source code
D.Use a shared user account with no MFA
AnswerB

Secrets management services like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault provide secure storage.

Why this answer

Storing credentials in a secrets management service and referencing them in the pipeline is a security best practice. Hardcoding or storing in plain text is insecure.

18
MCQhard

A network engineer is using the Cisco DNA Center API to get site health. The API endpoint returns a large dataset with pagination. The response includes the header 'X-Page-Total-Count'. To retrieve all pages efficiently, what should the engineer implement?

A.A single request with a high limit parameter to fetch all data at once.
B.A loop that increments the page parameter until the response is empty, using the total count header.
C.A recursive function that follows 'next' links in the response body.
D.Polling the endpoint at regular intervals to gather data over time.
AnswerB

This efficiently retrieves all pages by iterating through page numbers.

Why this answer

Option B is correct because the Cisco DNA Center API uses pagination with a page parameter and returns a 'X-Page-Total-Count' header indicating the total number of pages. By implementing a loop that increments the page parameter until all pages are retrieved, the engineer can efficiently fetch all data without overwhelming the API or missing records, using the total count to know when to stop.

Exam trap

Cisco often tests the distinction between REST API pagination patterns (offset/limit vs. page-based with total count) and the trap here is that candidates assume all APIs use 'next' links (like in HAL or JSON:API), but Cisco DNA Center uses explicit page parameters and headers.

How to eliminate wrong answers

Option A is wrong because setting a high limit parameter may exceed the API's maximum allowed limit, causing the request to fail or return truncated data; Cisco DNA Center APIs enforce a maximum page size (e.g., 500 or 1000 records) to prevent server overload. Option C is wrong because the Cisco DNA Center pagination response does not include 'next' links in the response body; it relies on explicit page and total count headers, making recursive following of links inapplicable. Option D is wrong because polling at regular intervals is designed for monitoring changes over time, not for retrieving a complete static dataset; it introduces unnecessary latency and potential data duplication.

19
MCQeasy

An administrator is using the Cisco Intersight API to manage server profiles. The API returns the following error: '{"error": "Forbidden", "message": "Insufficient privileges"}'. What is the most likely cause?

A.The server profile ID is incorrect.
B.The request body is malformed.
C.The OAuth2 token has insufficient scopes.
D.The API key has expired.
AnswerC

A 403 Forbidden with 'Insufficient privileges' explicitly indicates lack of required scopes.

Why this answer

The error 'Forbidden' with message 'Insufficient privileges' directly indicates that the authenticated user or API client does not have the required permissions to perform the requested operation. In Cisco Intersight, access control is managed via OAuth2 scopes assigned to API keys; if the token lacks the specific scope (e.g., 'server-profile-write') needed for the API call, the server returns this 403 Forbidden error. Option C correctly identifies that the OAuth2 token has insufficient scopes.

Exam trap

The trap here is that candidates confuse 403 Forbidden with 401 Unauthorized, assuming any privilege error means the API key is expired or invalid, when in fact the token is valid but lacks the required OAuth2 scopes.

How to eliminate wrong answers

Option A is wrong because an incorrect server profile ID would typically result in a 404 Not Found error, not a 403 Forbidden. Option B is wrong because a malformed request body would produce a 400 Bad Request error with details about parsing failures, not a privilege-related error. Option D is wrong because an expired API key would cause a 401 Unauthorized error, not a 403 Forbidden; the token is valid but lacks the necessary authorization scopes.

20
MCQmedium

You are a network automation engineer using the Cisco DNA Center REST API to retrieve health scores for all sites in your network. You call the 'GET /dna/intent/api/v1/site-health' endpoint with parameters to filter by time range. The response returns only the first 20 sites out of a total of 150 sites. You notice that the response includes a 'totalRecords' field showing 150, but only 20 objects are in the 'response' array. You recall that the API documentation mentions pagination support. To avoid manually looping through all pages, you want to implement a robust solution that efficiently retrieves all site health data. Which approach should you take?

A.Change the endpoint to 'GET /dna/intent/api/v1/network-device' which returns all devices without pagination.
B.Export the site health data using the 'POST /dna/intent/api/v1/site-health/export' endpoint.
C.Increase the 'pageSize' parameter to 150 to retrieve all records in a single request.
D.Use the 'nextPageUri' field provided in the response to iterate through all pages until no more pages are available.
AnswerD

Correct. Following the pagination links (nextPageUri) is the standard and reliable method to retrieve all records.

Why this answer

Option D is correct because the Cisco DNA Center REST API implements pagination using a 'nextPageUri' field in the response, which provides the direct URL to the next page of results. By following this field iteratively until it is null or absent, you can efficiently retrieve all 150 site health records without manually constructing pagination parameters or looping through page numbers, ensuring a robust and maintainable solution.

Exam trap

Cisco often tests the misconception that you can simply increase the 'pageSize' parameter to retrieve all records at once, but the trap is that API endpoints enforce a maximum page size, and the correct pattern is to use the provided 'nextPageUri' field to iterate through pages.

How to eliminate wrong answers

Option A is wrong because the 'GET /dna/intent/api/v1/network-device' endpoint returns network device data, not site health data, and it also uses pagination; it does not return all devices without pagination. Option B is wrong because the 'POST /dna/intent/api/v1/site-health/export' endpoint is designed for exporting data to a file (e.g., CSV), not for programmatic retrieval of all records in a single API response, and it may not support the same filtering or real-time access. Option C is wrong because the 'pageSize' parameter typically has a maximum limit (often 500 or less, but in many Cisco APIs the default max is 20 or 50), and setting it to 150 may exceed the allowed maximum, causing the request to fail or be truncated; even if accepted, it is not a guaranteed or recommended practice for large datasets.

21
Multi-Selectmedium

A developer receives HTTP 409 Conflict when updating a network configuration via Cisco NX-OS API. Which two scenarios could cause this error?

Select 2 answers
A.The resource was recently modified by another client.
B.The update conflicts with a lock held by another transaction.
C.The request body contains malformed JSON.
D.The request includes unsupported parameters.
E.The API key used is invalid.
AnswersA, B

A concurrent modification leads to a version conflict, resulting in 409.

Why this answer

HTTP 409 Conflict indicates a request conflicts with the current state of the resource. In the context of Cisco NX-OS API, this error occurs when the resource was recently modified by another client (option A) or when the update conflicts with a lock held by another transaction (option B). Both scenarios involve a state mismatch that the server cannot resolve without client intervention, often requiring the client to re-fetch the resource and retry.

Exam trap

Cisco often tests the distinction between client-side errors (400, 401) and server-side state conflicts (409), so the trap here is confusing a malformed request or authentication failure with a resource state conflict.

22
MCQhard

A Python script using the Cisco Meraki API v1 is failing with a 429 status code. What is the recommended course of action?

A.Change the API endpoint to a different region
B.Check the API token
C.Increase the rate limit on the dashboard
D.Implement retry logic with exponential backoff and respect Retry-After header
AnswerD

This is the standard approach for handling rate limiting.

Why this answer

A 429 status code indicates rate limiting, meaning the client has exceeded the allowed number of requests per time window. The correct response is to implement retry logic with exponential backoff and respect the Retry-After header, which tells the client how long to wait before retrying. This is a standard best practice for REST APIs, including Cisco Meraki's API v1, to handle rate limits gracefully without overwhelming the server.

Exam trap

Cisco often tests the distinction between HTTP status codes, so the trap here is that candidates confuse a 429 (rate limit) with authentication errors (401/403) or assume they can modify server-side limits, leading them to pick options like B or C.

How to eliminate wrong answers

Option A is wrong because changing the API endpoint to a different region does not affect rate limits; rate limits are per API key or per organization, not per regional endpoint. Option B is wrong because a 429 status code is not related to authentication; an invalid API token would result in a 401 Unauthorized or 403 Forbidden error, not a 429. Option C is wrong because the rate limit is enforced by the Meraki cloud and cannot be increased by the client; the dashboard does not provide a mechanism for clients to modify their rate limit.

23
Drag & Dropmedium

Drag and drop the steps to set up a Python virtual environment for a DevNet project into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Virtual environments isolate dependencies; creation, activation, package installation, and deactivation are standard steps.

24
MCQmedium

An automation tool uses RESTCONF to configure a Cisco device. The device returns a 404 error for a PUT request. What does this indicate?

A.The server is overloaded
B.The request body is malformed
C.Authentication failed
D.The resource does not exist
AnswerD

404 is specifically for not found.

Why this answer

A 404 (Not Found) response to a RESTCONF PUT request indicates that the target resource (e.g., a specific YANG data node or URI) does not exist on the device. RESTCONF uses HTTP methods to manipulate resources identified by URIs; a PUT request is intended to create or replace a resource at that URI, but if the resource path is invalid or the data model node is not present, the server returns 404. This is consistent with RFC 8040, which defines the RESTCONF protocol.

Exam trap

Cisco often tests the distinction between HTTP status codes in RESTCONF/NETCONF contexts, and the trap here is that candidates confuse 404 (resource not found) with 400 (bad request) or 401 (authentication failure), especially when the PUT request seems syntactically correct but targets a non-existent resource.

How to eliminate wrong answers

Option A is wrong because a 404 error is not related to server overload; server overload typically results in 503 (Service Unavailable) or 429 (Too Many Requests). Option B is wrong because a malformed request body (e.g., invalid JSON or XML) would produce a 400 (Bad Request) error, not 404. Option C is wrong because authentication failure results in 401 (Unauthorized) or 403 (Forbidden), not 404.

25
MCQhard

An engineer is using the Cisco Intersight API to manage UCS servers. The API response returns a paginated list. What is the proper way to retrieve all items?

A.Loop through pages using the 'next' link in the response
B.Increase the page size limit to maximum
C.Send multiple requests with different offsets manually
D.Use a single request with a filter to get all
AnswerA

Following pagination links is the recommended pattern.

Why this answer

The Cisco Intersight API uses cursor-based pagination, where each page response includes a 'next' link pointing to the next page of results. To retrieve all items, you must follow that link in a loop until the 'next' field is null or absent, ensuring you get every page without assuming a fixed offset or page size.

Exam trap

Cisco often tests the distinction between offset-based pagination (common in REST APIs) and cursor-based pagination (used by Intersight), trapping candidates who assume they can manually increment a page number or offset.

How to eliminate wrong answers

Option B is wrong because increasing the page size limit to maximum may exceed API-imposed constraints (e.g., 1000 items per page) and does not guarantee all items are retrieved if the total exceeds that limit. Option C is wrong because Intersight uses cursor-based pagination, not offset-based; manually incrementing offsets will cause duplicate or missed items since the API does not support offset parameters. Option D is wrong because a single request with a filter cannot bypass pagination; the API enforces pagination on all list endpoints, and filters only narrow the result set, not the number of pages.

26
MCQeasy

An automation script needs to update the hostname of a Cisco IOS-XE device via RESTCONF. Which HTTP method is appropriate?

A.PUT
B.PATCH
C.GET
D.POST
AnswerA

PUT is used to replace the target resource with the request payload.

Why this answer

To update the hostname of a Cisco IOS-XE device via RESTCONF, the PUT HTTP method is appropriate because it performs a full replacement of the target resource. RESTCONF uses the YANG data model, and the hostname is a leaf node under the Cisco-IOS-XE-native YANG module. A PUT request with the complete updated hostname data replaces the existing configuration, aligning with RESTCONF's semantics for resource replacement.

Exam trap

Cisco often tests the distinction between PUT and PATCH, and the trap here is that candidates familiar with RESTful APIs might assume PATCH is available for partial updates, but RESTCONF explicitly omits PATCH, requiring PUT for all replacements.

How to eliminate wrong answers

Option B (PATCH) is wrong because RESTCONF does not support the PATCH method; it uses PUT for full replacement and POST for operations or data resource creation. Option C (GET) is wrong because it is used to retrieve the current hostname, not to update it. Option D (POST) is wrong because in RESTCONF, POST is used to create a new data resource or invoke an RPC operation, not to replace an existing leaf like the hostname.

27
Multi-Selectmedium

Which TWO of the following are best practices when using REST APIs in Cisco networking environments?

Select 2 answers
A.Send credentials as plain text in every request.
B.Poll the API every second to get real-time updates.
C.Always handle HTTP error codes like 4xx and 5xx.
D.Embed API keys directly in the URL query parameters.
E.Implement caching to reduce redundant API calls.
AnswersC, E

Error handling is critical for robustness.

Why this answer

Option C is correct because handling HTTP error codes like 4xx (client errors) and 5xx (server errors) is essential for robust REST API integration. In Cisco environments, APIs such as those for DNA Center or Meraki return these codes to indicate issues like authentication failure (401), rate limiting (429), or server overload (503). Proper error handling allows the application to retry, log, or alert appropriately, preventing silent failures and ensuring reliable network automation.

Exam trap

Cisco often tests the misconception that polling frequently (e.g., every second) is acceptable for real-time data, but the trap is that this violates API rate-limiting best practices and ignores the recommended use of webhooks or longer intervals.

28
Drag & Dropmedium

Drag and drop the steps to troubleshoot a network connectivity issue using the OSI model from bottom to top.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting follows the OSI model from physical up to application to systematically isolate the problem.

29
MCQmedium

A Cisco SD-WAN vManage API call to retrieve device inventory returns a 401 error. Which step is most likely missing?

A.The authentication token is expired or invalid
B.The request body is missing required fields
C.The device is unreachable
D.The API endpoint is incorrect
AnswerA

401 indicates authentication failure.

Why this answer

A 401 Unauthorized error in Cisco SD-WAN vManage API indicates that the request lacks valid authentication credentials. The vManage API uses token-based authentication (typically a JSON Web Token, JWT) obtained via a POST to /j_security_check or /authenticate. If the token is expired, malformed, or not included in the Authorization header, the API returns 401.

This is the most likely cause because the other options would produce different HTTP status codes (e.g., 400 for missing fields, 502 for unreachable device, 404 for incorrect endpoint).

Exam trap

Cisco often tests the distinction between HTTP status codes (401 vs 400, 404, 502) to see if candidates understand that authentication failures produce a specific code, not generic errors.

How to eliminate wrong answers

Option B is wrong because a missing required field in the request body would result in a 400 Bad Request error, not a 401. Option C is wrong because an unreachable device is a backend issue that would cause a 502 Bad Gateway or timeout, not a 401 authentication error. Option D is wrong because an incorrect API endpoint would return a 404 Not Found error, not a 401.

30
MCQhard

Refer to the exhibit. A DevOps engineer is using NETCONF to retrieve the OSPF configuration. The <get> response is missing the network statements. What is the most likely cause?

A.The filter used in the NETCONF request did not include the correct path for network commands.
B.The YANG model for OSPF does not include the network statement.
C.The device does not support NETCONF for OSPF.
D.The NETCONF username does not have sufficient privileges.
AnswerA

If the filter subtree does not include the network list, the response will not contain those statements.

Why this answer

The most likely cause is that the NETCONF <get> request used an incorrect or incomplete XML filter that did not specify the correct XPath for the OSPF network statements. NETCONF relies on YANG-defined data paths; if the filter omits the subtree for network commands, the device will not return those configuration elements, even though they exist in the running configuration.

Exam trap

Cisco often tests the nuance that NETCONF filters are not automatically recursive; candidates mistakenly assume that requesting a parent container returns all child elements, but the filter must explicitly include the desired subtree path.

How to eliminate wrong answers

Option B is wrong because YANG models for OSPF (e.g., RFC 7277 or vendor-specific models) do include network statements as part of the OSPF area configuration; the model itself is not the issue. Option C is wrong because the device successfully returned other OSPF configuration (e.g., router-id, area), proving NETCONF support for OSPF is functional. Option D is wrong because insufficient privileges would typically result in an access-denied error or an empty <rpc-reply>, not a partial response missing only the network statements.

31
MCQmedium

A developer is using the Cisco Webex Teams API to create a room and add members. The API returns a 400 error. What is the most likely cause?

A.Invalid access token
B.Missing required fields
C.Network connectivity issue
D.Room name already exists
AnswerB

400 errors are commonly due to missing or invalid fields.

Why this answer

A 400 Bad Request error from the Cisco Webex Teams API indicates that the server cannot process the request due to a client-side error, most commonly missing required fields in the request body. When creating a room, the API requires a 'title' field; omitting it or sending an empty value triggers a 400 response. This is distinct from authentication or network issues, which produce different HTTP status codes.

Exam trap

Cisco often tests the distinction between HTTP 4xx status codes, leading candidates to confuse authentication errors (401) with client-side request errors (400) when the actual issue is missing or malformed data.

How to eliminate wrong answers

Option A is wrong because an invalid access token would result in a 401 Unauthorized error, not a 400 Bad Request. Option C is wrong because a network connectivity issue would typically cause a timeout or connection refused error, not an HTTP 400 response from the server. Option D is wrong because the Webex Teams API allows duplicate room names; a 400 error would not occur for a name that already exists.

32
Multi-Selectmedium

When using the Cisco DNA Center API, which three steps are typically involved in making a successful API call? (Choose three.)

Select 3 answers
A.Send requests to the correct API endpoint.
B.Obtain an authentication token using Basic Auth credentials.
C.Use the token in the request body.
D.Use SNMP to retrieve device data.
E.Include the token in the Authorization header as Bearer.
AnswersA, B, E

Correct endpoints are necessary to access desired resources.

Why this answer

To use the DNA Center API, you first obtain an authentication token via Basic Auth, then include that token as a Bearer token in the Authorization header of subsequent requests, and send requests to the correct endpoint. Tokens are not sent in the request body, and SNMP is not used for API calls.

33
Multi-Selectmedium

An application authenticates to Cisco Webex API using OAuth2 client credentials grant. Which three pieces of information must the application include in the token request?

Select 3 answers
A.Authorization Code
B.Client ID
C.Redirect URI
D.Client Secret
E.Grant Type
AnswersB, D, E

The client ID identifies the application to the authorization server.

Why this answer

In the OAuth2 client credentials grant flow, the application authenticates directly as itself (not on behalf of a user) to obtain an access token. The token request must include the client ID (B) to identify the application, the client secret (D) to prove its identity, and the grant type (E) set to 'client_credentials' to indicate the flow being used. These three fields are mandatory per RFC 6749 Section 4.4.2.

Exam trap

Cisco often tests the distinction between OAuth2 grant types, and the trap here is that candidates confuse the client credentials grant with the authorization code grant, incorrectly assuming an authorization code or redirect URI is always required for any OAuth2 token request.

34
MCQeasy

A developer is using Cisco DNA Center API to add a new device to the inventory. Which HTTP method should be used for this operation?

A.PATCH
B.GET
C.DELETE
D.POST
AnswerD

POST is the standard HTTP method to create a new resource in REST APIs.

Why this answer

The POST HTTP method is used to create a new resource on the server. When adding a new device to the Cisco DNA Center inventory, you are creating a new device entry, which aligns with the POST method as defined by RESTful API conventions. Cisco DNA Center's device onboarding API endpoint (e.g., /dna/intent/api/v1/network-device) specifically requires a POST request to add a device.

Exam trap

Cisco often tests the distinction between POST and PUT, where candidates mistakenly choose PUT for creation, but PUT is typically used for full replacement of an existing resource, while POST is the correct method for creating a new resource in Cisco DNA Center's API design.

How to eliminate wrong answers

Option A is wrong because PATCH is used for partial updates to an existing resource, not for creating a new device. Option B is wrong because GET is used to retrieve existing data, not to create new resources. Option C is wrong because DELETE is used to remove an existing resource, not to add one.

35
MCQhard

A DevOps team manages a multi-site Cisco Meraki network with 50 MX appliances and 200 MR access points. They use a Python script that calls the Meraki API to collect device utilization data every hour and stores it in a CSV file. Recently, the script started failing intermittently with HTTP 429 status codes. The team suspects rate limiting but notices that the failures occur even when only one script instance runs. The script uses a single API key and makes requests to the /devices/{serial}/uplink endpoint for each MX and the /devices/{serial}/wireless/status endpoint for each MR. The script is scheduled via cron and runs sequentially. The team wants to resolve the rate limiting while minimizing changes to the script. Which course of action should the team take?

A.Introduce a delay between API calls to stay within the rate limit.
B.Distribute the API requests across multiple API keys.
C.Switch to a webhook-based approach to receive data instead of polling.
D.Use the bulk API request feature to collect data in fewer calls.
AnswerA

Adding a small delay reduces request rate and avoids 429 errors.

Why this answer

The intermittent HTTP 429 errors indicate the script is exceeding the Meraki API rate limit, which applies per API key. Since the script runs sequentially with a single key, introducing a delay between API calls (e.g., using time.sleep()) is the simplest fix that stays within the rate limit without requiring architectural changes. This directly addresses the root cause while minimizing modifications to the existing script.

Exam trap

Cisco often tests the misconception that rate limiting can be solved by distributing requests across multiple keys, but the trap here is that the rate limit applies per key and the script's sequential nature means a single key is sufficient if delays are added.

How to eliminate wrong answers

Option B is wrong because distributing requests across multiple API keys does not change the per-key rate limit; the script still makes the same number of calls in the same time window, so 429 errors would persist. Option C is wrong because switching to webhooks requires significant infrastructure changes (e.g., setting up a listener, handling payloads) and does not address the immediate rate-limiting issue with the existing polling script. Option D is wrong because the Meraki API does not support a 'bulk' endpoint for the specific /devices/{serial}/uplink and /devices/{serial}/wireless/status endpoints; these are per-device calls, so batching is not possible.

36
MCQmedium

A DevOps engineer is designing a REST API for a custom network automation tool. Which principle is essential for a RESTful design?

A.Maintain session state on the server between requests.
B.Use HTTP methods to perform CRUD operations on resources.
C.Use a single URI for all operations with different method names.
D.Return XML responses by default for compatibility.
AnswerB

This is a core REST principle, mapping operations to HTTP methods like GET, POST, PUT, DELETE.

Why this answer

RESTful APIs are designed around resources, and HTTP methods (GET, POST, PUT, DELETE, PATCH) directly map to CRUD operations (Create, Read, Update, Delete). This stateless, resource-oriented approach is a core principle of REST as defined by Roy Fielding's dissertation, enabling uniform interfaces and predictable interactions.

Exam trap

Cisco often tests the misconception that REST APIs can maintain server-side session state (like traditional web apps) or that a single URI with different method names is acceptable, confusing REST with RPC-style designs.

How to eliminate wrong answers

Option A is wrong because REST requires statelessness; each request from a client must contain all necessary information, and session state should be stored on the client, not the server. Option C is wrong because RESTful design uses distinct URIs for each resource, not a single URI with different method names; using a single URI for all operations violates the principle of resource identification and leads to RPC-style APIs. Option D is wrong because REST APIs should support content negotiation (e.g., via the Accept header) and typically return JSON by default for modern web services; forcing XML responses by default reduces flexibility and violates the principle of using standard media types.

37
MCQmedium

Refer to the exhibit. A Python script parses this JSON response to check if NetFlow is enabled on the network. Which code snippet correctly checks the NetFlow status?

A.if response['netflow'].get('enabled', False):
B.if response['netflow']['enabled'] == 'true':
C.if response.netflow.enabled:
D.if response['netflow']['enabled']:
AnswerA

Safely checks for the 'enabled' key with a default of False.

Why this answer

Option A is correct because it uses the `.get()` method with a default value of `False` to safely access the `enabled` key within the `netflow` dictionary. This handles cases where the key might be missing or the value is `False`, avoiding a `KeyError` and correctly evaluating the boolean condition. In JSON, the `enabled` field is typically a boolean, so checking truthiness directly is the proper approach.

Exam trap

Cisco often tests the difference between JSON boolean values and their string representations, trapping candidates who treat `true`/`false` as strings instead of Python booleans, and also tests safe dictionary access methods versus direct key access that can raise exceptions.

How to eliminate wrong answers

Option B is wrong because it compares the value to the string `'true'`, but JSON booleans are lowercase `true` (which Python parses as `True`, not a string). This comparison will always be `False` even when NetFlow is enabled. Option C is wrong because it uses dot notation (`response.netflow.enabled`), which is not valid for a Python dictionary; dictionaries require bracket or `.get()` access.

Option D is wrong because it directly accesses `response['netflow']['enabled']` without a fallback; if the `enabled` key is missing or the `netflow` key is absent, this will raise a `KeyError` and crash the script.

38
Multi-Selectmedium

When designing a REST API for managing network devices, which two principles should be followed to ensure statelessness?

Select 2 answers
A.All state information is stored on the client.
B.The server maintains session data and identifies clients via cookies.
C.API endpoints include version numbers to support backward compatibility.
D.Each request from client to server must contain all information needed to understand and complete the request.
E.Responses are idempotent for all POST requests.
AnswersA, D

This is a key principle of statelessness: the client holds session state.

Why this answer

Option A is correct because statelessness in REST requires that all session state be stored on the client, not the server. Each request must be self-contained, meaning the server does not retain any client context between requests. This aligns with the REST architectural constraint defined by Roy Fielding, where the server treats each request independently.

Exam trap

Cisco often tests the distinction between statelessness and other REST principles like idempotency or versioning; the trap here is that candidates confuse 'statelessness' with 'idempotency' or 'backward compatibility', leading them to select options that are valid REST practices but do not address the statelessness constraint.

39
MCQhard

A security team is developing an application that collects network alerts from Cisco Firepower Management Center (FMC) API. The API requires OAuth2 authorization code grant flow. After obtaining an authorization code, what must the application do to get an access token?

A.Resend the authorization request with the code included in the redirect URI.
B.Decode the authorization code using base64 to extract the access token.
C.Use the authorization code directly in subsequent API requests as a bearer token.
D.Exchange the authorization code for an access token by calling the token endpoint with the code and client credentials.
AnswerD

This is the correct step in the authorization code grant flow.

Why this answer

In the OAuth2 authorization code grant flow, the authorization code is an intermediate credential that must be exchanged for an access token. The application must call the token endpoint, presenting the authorization code along with its client credentials (client ID and client secret) to receive the access token. This exchange is required by RFC 6749 and is a fundamental security measure to ensure the client is authorized to obtain the token.

Exam trap

Cisco often tests the misconception that the authorization code itself can be used as a bearer token or decoded to reveal the access token, when in fact it must be exchanged at the token endpoint with client credentials.

How to eliminate wrong answers

Option A is wrong because resending the authorization request with the code in the redirect URI is not part of the OAuth2 flow; the authorization code is obtained from the authorization endpoint's redirect, not reused in a new request. Option B is wrong because the authorization code is not a base64-encoded access token; it is a short-lived, one-time-use code that must be exchanged via the token endpoint, not decoded. Option C is wrong because the authorization code cannot be used directly as a bearer token; bearer tokens are access tokens, and using the code in API requests would be rejected by the resource server as it is not a valid token.

40
Multi-Selectmedium

A developer is troubleshooting a Cisco RESTCONF API call that returns a 409 Conflict error. Which two scenarios could cause this? (Choose two.)

Select 2 answers
A.Authentication token is missing.
B.The resource's current state conflicts with the requested change (e.g., trying to delete a resource that is in use).
C.The resource already exists and the request attempts to create a duplicate.
D.The resource does not exist.
E.The request contains invalid data types.
AnswersB, C

State conflicts, like deleting a resource that is referenced, cause 409.

Why this answer

Option B is correct because a 409 Conflict error in RESTCONF indicates that the request cannot be completed due to a conflict with the current state of the resource. For example, attempting to delete a resource that is referenced by other resources (e.g., a VLAN interface that is still active) violates the resource's state constraints, triggering this HTTP status code.

Exam trap

Cisco often tests the distinction between 409 Conflict and 400 Bad Request, where candidates mistakenly think invalid data types cause a conflict rather than a client-side syntax error.

41
Matchingmedium

Match each HTTP method to its typical use case in REST APIs.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve a resource

Create a new resource

Update an existing resource

Remove a resource

Partially modify a resource

Why these pairings

These are standard RESTful HTTP methods.

42
Multi-Selecteasy

Which two authentication methods are commonly used with Cisco APIs? (Choose two.)

Select 2 answers
A.SNMPv3
B.Basic Authentication over HTTPS
C.SSH Key
E.API Token (Bearer Token)
AnswersB, E

Many Cisco APIs support Basic Auth for initial token acquisition.

Why this answer

Basic Authentication over HTTPS is commonly used with Cisco APIs because it sends a base64-encoded username:password pair in the Authorization header, which is a simple and widely supported method for authenticating REST API requests. Cisco's REST APIs, such as those on DNA Center and Meraki, often accept Basic Auth as a fallback or for legacy integration, though it is less secure than token-based methods.

Exam trap

Cisco often tests the distinction between authentication methods used for API access versus those used for device management or network protocols, so the trap here is confusing SNMPv3 or SSH keys (which are for device CLI/management) with HTTP-based API authentication methods.

Ready to test yourself?

Try a timed practice session using only Apis questions.