API Authentication Enterprise
All API requests require a personal access token (PAT). Tokens inherit the permissions of the user who created them. Ex: a token created by an Analyst cannot modify Trapsters or settings.
Create a token
Create personal access tokens (PAT) from Settings > Personal Access Tokens. Tokens inherit the permissions of the user who created them.
| Topic | Behavior |
|---|---|
| Expiration | Choose 15 days, 30 days, 90 days, 1 year, 2 years, or Never at creation time |
| After expiry | Expired tokens are rejected; create a new token to replace them |
| Revocation | Only the token owner can revoke their own tokens. Administrators cannot revoke another user's tokens from the dashboard |
| Offboarding | Deleting a user from Settings > Users removes all of their tokens automatically. |
| Changing expiry | Expiration cannot be extended after creation; revoke and create a new token instead |
- Log in to your Trapster dashboard
- Open Settings > Personal Access Tokens
- Enter a name (for example,
soar-integrationorreporting-script) - Choose an expiration : use a short expiry for scripts and integrations that do not need indefinite access
- Click Add
The full token is shown once. Copy it immediately and store it in a secrets manager or environment variable as you cannot view it again after closing the dialog.
Verify it works:
curl https://<your-trapster-dashboard>/api/v1/ping \
-H "Authorization: token <your-token>"Replace <your-trapster-dashboard> with your dashboard URL and <your-token> with the token you created.
A successful response returns { "status": "ok" }. An invalid or expired token returns { "error": "Unauthorized" }.
Revoke a token
- Open Settings > Personal Access Tokens
- Click the delete button next to the token
Revoked tokens stop working immediately. Any integration using that token will receive 401 Unauthorized responses.
When someone leaves your organization, delete their account from Settings > Users. That removes all of their personal access tokens automatically.
Token security
Store tokens in environment variables or a secrets manager, never in source code or version control. Do not share tokens: each token carries your full user-level permissions, so sharing one gives another person or system your access level within your namespaces.
Full API reference
The complete endpoint reference is available at /api/docs in your dashboard. See API Reference Overview.
