API tokens provide a way to authenticate legitimate calls to 42Crunch API Security Platform itself. Integration with third-party systems, like CI/CD pipelines, requires API tokens to allow the integration plugins to call the required features.
All platform users can create and revoke API tokens in their user profile settings. Each API token must have a unique name so that it can be referenced without ambiguity.
Always store all your tokens securely, for example, in Kubernetes Secrets, like other secrets you use! Treat tokens as you would other sensitive information, like your passwords.
For security reasons, you cannot view the values of your existing tokens after you have created them. However, you can easily create a new one to view and copy the value.
API tokens have access rights that define the scopes the token has. These scopes can allow calling all, some, or one of the features the platform offers, or they can be limited to simple actions:
|Features||API Security Audit||The API token allows calling the API Security Audit service to audit the security of APIs.|
|API Conformance Scan||The API token allows calling the API Conformance Scan service to scan that the live API endpoints conform to their API contracts. If you are a business user, the same token can be used to run Conformance Scan both in 42Crunch Platform and on premises. If your account belongs to the free community organization, you cannot scan APIs in 42Crunch Platform, but you can still use the on-premises version of the scan.|
|API Protection||The API token allows calling the API Protection service to protect APIs with API Firewall.|
|Actions||List resources||The API token allows listing resources (such as API collections, APIs, and users) that are present in your organization in 42Crunch Platform. You can also list resource details, such as API collections owned by a particular user.|
|Delete resources||The API token allows deleting resources (such as API collections, APIs, and users) from your organization in the platform, provided that you have sufficient rights to do so.|
You can define the scopes separately for each token you create.