Notes:
- Your API token should be treated as a password.
- Anyone with a token will have information about all companies in your portfolio. If you think your token may have been compromised, you can always generate a new one from the same page, which will invalidate the previous one.
- Authentication occurs via HTTP basic authentication. Use your API token as the basic authentication username, with no password.
- All API requests must be made over HTTPS. Calls made over HTTP will fail.
- You must authenticate for all requests.
Token Types
User API Tokens
User API token permissions are user-based. Each user can set up a per-user API token. One token can be generated for each user.
Company API Tokens
Company API tokens are not user-specific and have admin privileges. An account may have a single company API token. If a new token is generated by another Admin, the previous token is no longer valid.
Use company API tokens to prevent existing integrations from breaking if certain user accounts are deleted. For example, one Admin (Customer Admin) might generate a token for their Archer integration. If that Admin leaves the company, the token can either continue to be used or it can be revoked by another Admin.
If using a company API token for the /alerts
API endpoint, the default alert setting are used instead of your own user-specific alert settings, which may return varying query results.
Client/Vendor Access Program Token
The registration token generated in the Client Requested Access to Bitsight Token section is for Cyber Insurers to set up registration for policyholders to sign up for the Client/Vendor Access Program.
- June 13, 2024: Token privilege information.
- May 6, 2024: Enable Access Program renamed to Client/Vendor Access Program.
- October 4, 2023: Client Requested Access to Bitsight Token.
Feedback
0 comments
Please sign in to leave a comment.