- October 4, 2023: Client Requested Access to Bitsight Token.
- November 12, 2021: Added navigational instructions for the Continuous Monitoring application.
- April 20, 2021: Updated navigational instructions for the SPM application.
- Your API token should be treated as a password.
- Anyone with a token will have information about all companies in your portfolio. If you think your token may have been compromised, you can always generate a new one from the same page, which will invalidate the previous one.
- Authentication occurs via HTTP basic authentication. Use your API token as the basic authentication username, with no password.
- All API requests must be made over HTTPS. Calls made over HTTP will fail.
- You must authenticate for all requests.
User API Tokens
Each user can set up a per-user API token. One token can be generated for each user.
Company API Tokens
Company API tokens are not user-specific. They can be used without breaking existing integrations if certain user accounts are deleted. For example, one Admin (Customer Admin) might generate a token for their Archer integration. If that Admin leaves the company, the token can either continue to be used or it can be revoked by another Admin.
If using a company API token for the
/alerts API endpoint, the default alert setting are used instead of your own user-specific alert settings, which may return varying query results.
Enable Access Program Token
The registration token generated in the Client Requested Access to Bitsight Token section is for Cyber Insurers to set up registration for policyholders to sign up for the Enable Access Program.
An account may have 1 company API token. If a new token is generated by another Admin, the previous token is no longer valid.