API Token Management

Use the Bitsight API to integrate Bitsight Security Ratings data with your organization's risk management platform(s), GRC solutions, or other custom software solutions. Authentication is token-based; your login credentials to the Bitsight Security Ratings Platform will not work.

Notes:

• Your API token should be treated as a password.
• Anyone with a token will have information about all companies in your portfolio. If you think your token may have been compromised, you can always generate a new one from the same page, which will invalidate the previous one.
• Authentication occurs via HTTP basic authentication. Use your API token as the basic authentication username, with no password.
• All API requests must be made over HTTPS. Calls made over HTTP will fail.
• You must authenticate for all requests.

Token Types

User API Tokens

User API token permissions are user-based. Each user can set up a per-user API token. One token can be generated for each user.

Company API Tokens

Company API tokens are not user-specific and have admin privileges. An account may have a single company API token. If a new token is generated by another Admin, the previous token is no longer valid.

Use company API tokens to prevent existing integrations from breaking if certain user accounts are deleted. For example, one Admin (Customer Admin) might generate a token for their Archer integration. If that Admin leaves the company, the token can either continue to be used or it can be revoked by another Admin.

Client/Vendor Access Program Token

The registration token generated in the Client Requested Access to Bitsight Token section is for Cyber Insurers to set up registration for policyholders to sign up for the Client/Vendor Access Program.