API tokens let you automate protecting your APIs by calling the REST API of 42Crunch Platform. The platform API requires all incoming API calls to include an API token, otherwise the call is rejected.
All platform users can create and revoke API tokens in their user profile settings. Each API token must have a unique name so that it can be referenced without ambiguity.
Security riskAlways store all your tokens securely, like other secrets you use! Treat tokens as you would other sensitive information, like your passwords.
For security reasons, you cannot view the values of your existing tokens after you have created them. However, you can easily create a new one to view and copy the value.
Once you have created suitable API tokens, you can use them in your own automation scripts that call the platform API.
API tokens have access rights that define the scopes the token has. The scopes a token has can allow calling all, some, or one of the features the platform offers, or they can they can be limited to simple actions:
|Features||API Contract Security Audit||The API token allows calling the API Contract Security Audit service to audit the security of APIs.|
|API Contract Conformance Scan||The API token allows calling the API Contract Conformance Scan service to scan that the live API endpoints conform to their API contracts.|
|Protection||The API token allows calling the API Protection service to protect APIs with API Firewall.|
|Actions||List resources||The API token allows listing resources (such as API collections, APIs, and users) that are present in your organization in the platform. You can also list resource details, such as API collections owned by a particular user.|
|Delete resources||The API token allows deleting resources (such as API collections, APIs, and users) from your organization in the platform, provided that you have sufficient rights to do so.|
You can define the scopes separately for each token you create.