Getting Started with the API

About the Bugcrowd API

We are excited to be developing a whole new API for interacting with the Bugcrowd platform programmatically. This set of documents relates entirely to the new API. If you’re looking for docs for our existing (v3) API, you can check them out here.

Our new v4 API is now available. Follow the instructions below to start using it or reach out for more information.

Authentication

Access tokens are provisioned on a per-user basis and provide authorization to resources based on the user’s role.

Multiple access tokens can be provisioned per user, and it is possible to revoke access for a token whenever needed by deleting that token.

Bugcrowd limits API requests to 60 requests / minute / IP Address.

Provisioning Credentials

To provision access credentials, log in to Bugcrowd and browse to the API Credentials page by clicking on your profile picture and selecting API Credentials from the drop-down menu.

profile-api-credentials

Specify a descriptive name for the credentials. Usually, it is the name of the application you will be using to access the API. Click Create credentials.

provisioning-api-credentials

A section with your token credentials will be displayed. Make sure you make a note of these credentials before leaving the page. The credentials will not be viewable after the page is refreshed or if you move away from this page.

The authorization tokens used in this reference are example tokens only. You must generate your own tokens for use with the API.

Also, the Current credentials section displays the created token.

current-token

Changing API Version

To change the API version, select the required version from the drop-down menu as shown.

version

When upgrading your token from the v3 API to a date-based version in the v4 API, you must use v4 headers. For more details, see developer documentation.

The date-based version is the pinned version for the token to be used when there is no Bugcrowd-Version header supplied. Before updating it here, ensure services leveraging the token are prepared and tested for the new version.”

A pop-up message is displayed asking for confirmation. Click Change version.

change-version-pop-up

The Successfully upgraded API version message is displayed.

Deleting API Credentials

To delete an API credential, click the Delete icon in the Actions column.

delete-icon

This action is not reversible.

A pop-up message is displayed asking for confirmation. Click Delete credentials.

confirm-delete

The API credentials are deleted.

Token Authentication

To access the API, use the provided Authorization request header:

curl --include \
     --header "Accept: application/vnd.bugcrowd.v4+json" \
     --header "Authorization: Token gvnzkgmklo:gPYS2SMN3zJ_k-QAEvyMAcr_PqsGlA-vJ2voA7ysZ635GlT_VZdr2Sg3_YCctkM3SwnBtDCn" \
  'https://api.bugcrowd.com/programs'

Viewing API Keys

You can view the API keys being used, whether they are expired or inactive, and revoke the tokens as required. You can also view the IP address and timestamp of last use. This is currently available for Organization Owner roles on Bugcrowd and applies to the current and future use of the Bugcrowd API. To view API keys, go to your profile and click Team members.

profile

The Organization’s team members page displays the Inactive, Active, and Expired API Keys.

To revoke an API key, click the revoke icon.

revoke-icon

The following pop-up message is displayed. Click Revoke to revoke the API key.

pop-up-message

Markdown Properties

Some Bugcrowd resources use Markdown fields to allow for rich text functionality. Markdown fields can be retrieved or set in Markdown format only. Check the specific API doc page for each resource to see more information about Markdown-enabled fields.