About the Bugcrowd API
This document provides instructions on how to get started and use the Bugcrowd API. Review the latest Bugcrowd API version..
For information about the legacy API, see API legacy document. If you have questions or issues, please submit a support ticket through the Bugcrowd Support Portal.
Authentication
Access tokens are provisioned on a per-user basis and provide authorization to resources based on the user’s role.
Multiple access tokens can be provisioned per user, and it is possible to revoke access for a token by deleting that token.
Bugcrowd limits API requests to 60 requests per minute per IP Address.
Provisioning Credentials
To provision access credentials:
-
Log into Bugcrowd and browse to the API Credentials page by clicking on your profile picture in the top right and selecting
API Credentials
from the drop-down menu.The API credentials page is displayed.
-
Specify a descriptive name for the credentials. Usually, it is the name of the application you will be using to access the API.
-
Click Create credentials.
A section with your token credentials will be displayed. Make sure you make a note of these credentials before leaving the page. The credentials will not be viewable after the page is refreshed or if you move away from this page.
The Current credentials section displays the created credential.
The authorization tokens used in this reference are example tokens only. You must generate your own tokens for use with the API.
-
For additional security, API tokens can be associated with an Allowlist, which is a set of IP addresses or a range. Under Current credentials, click on Edit IP Allowlist under the Actions column to add an allowlist for an API token.
A pop-up with an option to Add Allowlist entry will appear.
-
Click Add Allowlist entry, and add the IP Address or Range you wish to allow and click Save.
You can add multiple IP addresses by clicking the Add Allowlist entry button.
Note: If an API endpoint is called from an IP address not added to an Allowlist, then it will be rejected.
Pinning API Version
To pin the API version, select the required version from the drop-down menu as shown.
The date-based version is the pinned version for the token, and will be used when there is no Bugcrowd-Version
header supplied. Additionally, only IPv4 addresses are supported.
We recommend before updating it here, ensure services leveraging the token are prepared and tested for the new version.
A pop-up message is displayed asking for confirmation. Click Change version.
The Successfully upgraded API version message is displayed.
Deleting API Credentials
To delete an API credential, click the Delete icon in the Actions column.
This action is not reversible.
A pop-up message is displayed asking for confirmation. Click Delete credentials.
The API credentials are deleted.
Token Authentication
To access the API, use the provided Authorization request header:
curl --include \
--header "Accept: application/vnd.bugcrowd+json" \
--header "Authorization: Token gvnzkgmklo:gPYS2SMN3zJ_k-QAEvyMAcr_PqsGlA-vJ2voA7ysZ635GlT_VZdr2Sg3_YCctkM3SwnBtDCn" \
'https://api.bugcrowd.com/programs'
Viewing API Keys
You can view the API keys being used, whether they are expired or inactive, and revoke the tokens as required. You can also view the IP address and timestamp of last use. This is currently available for Organization Owner roles on Bugcrowd and applies to the current and future use of the Bugcrowd API.
To view API keys, go to Organization tab and click Team.
The Organization’s team members page displays the Inactive, Active, and Expired API Keys.
To revoke an API key, click the revoke icon.
The following pop-up message is displayed. Click Revoke to revoke the API key.
Markdown Properties
Some Bugcrowd resources use Markdown fields to allow for rich text functionality. Markdown fields can be retrieved or set in Markdown format only. Check the specific API doc page for each resource to see more information about Markdown-enabled fields.