- November 12, 2021: Added navigational instructions for the Continuous Monitoring application.
- April 20, 2021: Updated navigational instructions for the SPM application.
- Your API token should be treated as a password.
- Anyone with a token will have information about all companies in your portfolio. If you think your token may have been compromised, you can always generate a new one from the same page, which will invalidate the previous one.
- Authentication occurs via HTTP basic authentication. Use your API token as the basic authentication username, with no password.
- All API requests must be made over HTTPS. Calls made over HTTP will fail.
- You must authenticate for all requests.
User API Tokens
Each user can set up a “per-user API token.” One token can be generated for each user.
Company API Tokens
Company API tokens are not user-specific. They can be used without breaking existing integrations if certain user accounts are deleted. For example, one Admin (Customer Admin) might generate a token for their Archer integration. If that Admin leaves the company, the token can either continue to be used or it can be revoked by another Admin.
If using a company API token for the
/alerts API endpoint, the default alert setting are used instead of your own user-specific alert settings, which may return varying query results.