Tokens
Although authentication to 42Crunch API Security Platform with user credentials works well for human users, it is not as good when you need to programmatically access the platform. For this purpose, 42Crunch Platform offers different tokens for different access needs.
Always store all your tokens securely, for example, in Kubernetes Secrets, like other secrets you use! Treat tokens as you would other sensitive information, like your passwords.
For security reasons, you cannot view the values of your existing tokens after you have created them. However, you can easily create a new one to view and copy the value.
API tokens
API tokens provide fine-grained control for accessing different platform features. All API tokens have a scope that allows you to define exactly which features the token can be used for, and what type of actions can be performed with it.
Integration with third-party systems, like CI/CD pipelines, requires API tokens to allow the integration plugins to call the required features. For more details, see CI/CD integration.
All platform users can create and revoke API tokens in their user profile settings. Each API token must have a unique name so that it can be referenced without ambiguity.
By default, API tokens expire on 3 months from the creation date, but you can also choose a different expiration date if you want.
API token scopes
API tokens have access rights that define the scopes the token has. These scopes can allow calling all, some, or one of the features the platform offers, or they can be limited to simple actions:
Token scope | Description | |
---|---|---|
Features | API Security Audit | The API token allows calling the API Security Audit service to audit the security of APIs. |
API Conformance Scan | The API token allows calling the API Conformance Scan service to scan that the live API endpoints conform to their API contracts. The same token can be used to run Conformance Scan both in 42Crunch Platform and on premises. | |
API Protection | The API token allows calling the API Protection service to protect APIs with API Firewall. | |
Actions | List resources | The API token allows listing resources (such as API collections, APIs, and users) that are present in your organization in 42Crunch Platform. You can also list resource details, such as API collections owned by a particular user. |
Delete resources | The API token allows deleting resources (such as API collections, APIs, and users) from your organization in the platform, provided that you have sufficient rights to do so. |
You can define the scopes separately for each token you create.
IDE tokens
IDE tokens are used to enable deeper integration in our IDE extension OpenAPI (Swagger) Editor, such as viewing API collections or data dictionaries in your organization in 42Crunch Platform directly in your IDE. IDE tokens are used in addition to (or instead of) the token that is sent to you when you first use the IDE extension: the initial token allows you to run Security Audit in the IDE, while the IDE token unlocks additional features. For more details on the integration and supported IDEs, see IDE integration.
You can create IDE tokens in 42Crunch Platform, either on the landing page or under your profile. Unlike API tokens where you can define the scopes for tokens, IDE tokens by default covers what the IDE integration needs to work, which lets you create one quickly with the default settings on the platform home page.
For security reasons, IDE tokens automatically expire after three months, but you can change this when creating tokens under your profile. Although you use only one IDE token at a time in your IDE, you can create a new token before deleting the current token.
Other tokens
There are also other tokens that are created as part of defining configuration for some platform features and are used to identify the correct configuration to be used. These tokens do not grant other accesses, and cannot be managed separately from the associated configuration.
Protection token
Protection tokens tie protection configurations you create for your APIs to the running API Firewall instances.
Protection tokens are passed to API Firewall in the protection token variable. When an API Firewall instance starts, it connects to 42Crunch Platform and fetches the protection configuration matching the protection token specified for it. This ensures that the API Firewall instance runs the correct configuration for your API.
For more details, see API Protection.
Scan token
Instead of running Conformance Scan from the platform UI, you can deploy and run it locally as a Docker image.
To run on-premises scan, you create a scan configuration and then pull and run the Conformance Scan Docker image from Docker Hub, using the configuration you created.
Creating a scan configuration also produces a scan token. The token indicates to Conformance Scan which API it should scan and with which settings. If running Conformance Scan on premises in a Docker container, the scan token is passed in the environment variable SCAN_TOKEN
. When Conformance Scan starts, it connects to 42Crunch Platform and fetches the scan configuration that matches the specified scan token. This ensures that the on-premise scan runs the correct configuration for your API. If running Conformance Scan in 42Crunch Platform, you do not have to provide the scan token separately.
Scan configurations and tokens are specific to a scan version: you cannot run Scan v2 using a Scan v1 scan token, and vice versa. When running a scan, make sure you specify the right scan token for the scan version you are using, otherwise Conformance Scan cannot use the associated scan configuration and fails to run.
For more details, see Running Conformance Scan on premises.