Skip to content


SecObserve is build with an API first approach, every functionality needed to use SecObserve is covered by the REST API.



JWT authentication is used by SecObserve's frontend.

Endpoint /api/authentication/authenticate/
Validity duration for regular users 7 days / 168 hours 1)
Validity duration for superusers 1 day / 24 hours 1)
HTTP header Authorization: JWTtoken

1) Values can be changed by the administrators.

API token

API tokens are used for other integration scenarios, e.g. to call the REST API from a CI/CD pipeline to import observations.

Validity Until revokation
HTTP header Authorization: APITokentoken

API tokens can be created for a product or a user.

Product API token

Create product API token 1

A role (see Roles and permissions) must be selected during creation of a product API token, to determine the permissions of the API token for the product.

Create product API token 2

The API token can be seen only once after it has been created. It must be copied to ensure that it is not lost.

Create product API token 3

Only one API token can be created per product. If it needs to be replaced, it must be revoked first.

Revoke product API token

User API token

An API token for a user can only be created and revoked with API calls. The token can be seen only once, when it is created. Afterwards there is no way to see that API token again. If it is lost it needs to be revoked and a new one has to be created, as only one API token is allowed per user.

The API token has the same permissions for the same products as the user.

Endpoint to create API token /api/authentication/create_api_token/
Endpoint to revoke API token /api/authentication/revoke_api_token/

Interactive API documentation

The full documentation of the REST API is available at <BACKEND_URL>/api/oa3/swagger-ui.