SecObserve is build with an API first approach, every functionality needed to use SecObserve is covered by the REST API.
JWT authentication is used by SecObserve's frontend.
|Validity duration for regular users||7 days / 168 hours 1)|
|Validity duration for superusers||1 day / 24 hours 1)|
1) Values can be changed by the administrators.
API tokens are used for other integration scenarios, e.g. to call the REST API from a CI/CD pipeline to import observations.
API tokens can be created for a product or a user.
Product API token
A role (see Roles and permissions) must be selected during creation of a product API token, to determine the permissions of the API token for the product.
The API token can be seen only once after it has been created. It must be copied to ensure that it is not lost.
Only one API token can be created per product. If it needs to be replaced, it must be revoked first.
User API token
An API token for a user can only be created and revoked with API calls. The token can be seen only once, when it is created. Afterwards there is no way to see that API token again. If it is lost it needs to be revoked and a new one has to be created, as only one API token is allowed per user.
The API token has the same permissions for the same products as the user.
|Endpoint to create API token||
|Endpoint to revoke API token||
Interactive API documentation
The full documentation of the REST API is available at