Skip to main content

Access tokens

Use of Qwiet preZero's functionality requires you to possess the correct access token. The access tokens issues by Qwiet loosely fall into two categories:

  1. Tokens tied to a user: by default, Qwiet assigns each user an access token, whose value you can find in the dashboard under Account Settings. The specific permissions granted to the holder of such tokens depend on the role they've been assigned.

  2. Integration tokens: integration tokens are those that users can create to facilitate the integration of Qwiet preZero with another product (e.g., inclusion in a CI/CD pipeline, creating Jira issues populated with vulnerability information identified by Qwiet preZero, etc.). Qwiet allows users with sufficient privileges (typically org owners and super admins) to create such tokens.

Creating tokens

Tokens tied to a user are automatically created by Qwiet preZero whenever an org owner/super admin creates a user. The scopes that Qwiet assigns to that token depend on the role they've been assigned and are automatically updated if that role changes.

Org owners/super admins can create integration tokens and a general access token via the dashboard or the /tokens endpoints of the Qwiet API.

Token types

The following is a description of the specific token types available, which of the two categories they fall under, and when you should use the specific token type:

Token typesUsage
Personal access tokenAutomatically assigned to the user upon creation. Grants access to most Qwiet preZero functionality, though certain actions may be restricted depending on their assigned role (e.g., members may not be able to access as many of the API's endpoints as a power user)
CIUse for integrating Qwiet into your CI/CD systems (e.g., Jenkins, CircleCI). CI tokens are not tied to the user; the tokens are tied to the org used to issue them, so admin users can revoke if necessary
GitHubUse for integrating Qwiet into your GitHub pull request workflow that leverages GitHub Actions
JiraUse for integrating Qwiet preZero with Jira; required by Qwiet's plugin
Service tokenOrg owners can create service tokens used only to generate CI tokens for use in CI/CD pipelines. See the Creating service and CI tokens article for a walkthrough of this process
Access tokenFunctionally the same as the personal access token, though it lacks the scopes needed to call the Qwiet API. It is generated by org owners using the Qwiet API (and can therefore be revoked independently of user management)

Personal access tokens are automatically assigned to each Qwiet user. Access tokens are those generated by org owners via the API's /tokens endpoint.

Tokens and their permissions

Personal accessCIGitHubJira integrationAccessService
Check analysis
Modify findings
Jira integration

Tokens with access to teams (e.g., a CI token with org-wide access) may add apps to those teams during during analysis.