Getting Started with the API

Authentication

Access tokens are provisioned on a per-user basis and provide authorization to resources based on the user’s role.

Multiple access tokens can be provisioned per user, and it is possible to revoke access to a token whenever needed by the deleting that token.

Bugcrowd enforces API rate limits to 60 requests / minute / IP Address.

Provisioning Credentials

To provision an access credentials, log in to Bugcrowd and browse to the API Credentials page by clicking on your profile picture and selecting API Credentials from the drop-down menu.

provisioning-api-credentials

Enter a descriptive name for the credentials, usually the name of the application you will be creating to access the API, then click Create API Credentials.

A section with your token auth credentials will be displayed. Please record these credentials before leaving the page, they are only displayed upon creation and won’t be viewable after the page is refreshed.

The authorization tokens used in this reference are example tokens only, you will need to generate your own tokens for use with the API.

Token Authentication

To access the API using token authentication, use the provided Authorization request header:

curl --include \
     --header "Accept: application/vnd.bugcrowd+json" \
     --header "Authorization: Token gvnzkgmklo:gPYS2SMN3zJ_k-QAEvyMAcr_PqsGlA-vJ2voA7ysZ635GlT_VZdr2Sg3_YCctkM3SwnBtDCn" \
  'https://api.bugcrowd.com/bounties'

Viewing API Keys

You can view the API keys being used, expired, or inactive and revoke the tokens as required. You can also view the IP address and time stamp of last use. This is currently available for Organization Owner roles on Bugcrowd and applies to the current and future use of the Bugcrowd API. To view API keys, go to your profile and click Team members.

profile

The Organization’s team members page displays the Inactive, Active, and Expired API Keys.

To revoke an API key, click the revoke icon.

revoke-icon

The following pop-up message is displayed. Click Revoke to revoke the API key.

pop-up-message


API