Creating service and CI tokens

This article walks you through using a service account token (or service token) to call the /tokens endpoint available via the ShiftLeft API to create CI tokens.

We offer a Postman Collection that includes these endpoints; the relevant section of the Collection is called Tokens, and the specific example is called Create token using service account. We suggest creating an environment to store frequently used variables (including your ShiftLeft access token and org ID values).

Before proceeding, you should have…

Your integration token (with the role of Service Account) and org ID value:

Create new integration token

Authentication

The ShiftLeft API uses bearer authentication, which means that you must pass in a bearer token before you make calls to any of the endpoints. More specifically, you must provide your ShiftLeft token (specifically, an integration token with the Service Account role assigned) in the HTTP Authorization request header before proceeding.

Create the CI token using the service account

Return a list of roles an org has available to use (includes only the roles managed by ShiftLeft). Note that the integration (access) token used for this call is the one assigned the service account role.

curl POST \ 'https://app.shiftleft.io/api/v4/orgs/{orgID}/tokens' \
--header 'Authorization: Bearer {accessToken}' \
--header 'Content-Type: application/json' \
--data-raw '{
"label": "tokenName",
"description": "A CI token created by a service account",
"role_id": "66ad5168-41be-4b6c-9ac5-a30b02229c35",
"token_type": "access"
}'

Note: you must use the role_ID and token_type values as shown; service account tokens can only be used to create CI tokens.

Sample response:

{
"ok": true,
"response": {
"id": "967...546",
"label": "tokenName",
"description": "A CI token created by a service account",
"value": "eyJh...zMQ"
}
}

To view your newly created token, use the list tokens endpoint:

curl \
GET 'https://app.shiftleft.io/api/v4/orgs/{orgID}/tokens?show_expired=false' \
--header 'Authorization: Bearer {accessToken}'