Documentation Index
Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Overview
API tokens allow you to access the ZeroPath API programmatically — from CI/CD pipelines, the CLI, the VS Code extension, the MCP server, or custom integrations.Creating Tokens
- Navigate to Settings → API Tokens in the ZeroPath dashboard (zeropath.com/app/settings/api).
- Click “Create Token”.
- Provide a name (optional, for identification).
- Set an expiration (1–365 days, default: 30 days).
- Click Create.
- Copy the Token Secret immediately — it is shown only once and cannot be retrieved later.
- Token ID — a UUID identifying the token (safe to log).
- Token Secret — the secret key (treat like a password).
Authentication Headers
Every API request must include both headers:Example
Supported API Surfaces
API tokens authenticate requests to both the V1 and V2 ZeroPath APIs. The V2 API provides expanded coverage including:- Vulnerabilities — list, search, and manage security findings, including remediation and patch metadata when available
- SCA — list dependency vulnerabilities with severity, reachability data, and patch status metadata when a remediation exists. You can filter SCA alerts and vulnerabilities to only those associated with applications exposed by Wiz
- Reports — generate security reports in DOCX, CSV, SARIF, or SBOM format
- Custom Reports — create, list, and delete saved filter configurations, retrieve aggregated statistics (severity distribution, top vulnerability classes, MTTR, trends), and discover available filter fields via the filter schema endpoint
- Endpoints — semantic search across detected endpoints and data handlers
- Agent — manage event triggers, patches, pull requests, global agent instructions, trigger history, real-time job streaming via SSE, and playbooks (activate, pause, and uninstall pre-built security automation workflows from a template library). Playbook templates support rich parameter types including text, number, boolean toggles, and select dropdowns, giving you fine-grained control when activating workflows
- On-Demand Code Scans Beta — submit diffs, files, and snippets for asynchronous security review from CLIs, IDEs, pre-commit hooks, and custom integrations
- Rule Packs — browse curated bundles of natural-language SAST rule templates covering compliance, privacy, logging, and more; enable or disable individual templates or entire packs for your organization
- Organizations — manage organizations, list/invite/remove members, and update member roles
- Repositories — list, add by URL (public repos), delete, and manage repository settings. For monorepo setups, you can atomically delete all partitions of a monorepo in a single operation, and previously deleted repositories can be re-imported without issues
- Scans — trigger full scans, cancel running scans, and manage cron-based scan schedules with branch targeting. You can filter the scan list by severity level (Critical, High, Medium, Low) and group PR scans by pull request to see only the latest scan per PR along with a count of related rescans
- Teams — create teams, manage memberships, configure granular organization/repository/team permissions, and manage default permission templates that can be applied to all teams or specific teams in your organization
- Custom Sources — create, list, update, toggle, and delete custom security source declarations that tell the scanner about additional untrusted data entry points in your code
- Custom Sinks — create, list, update, toggle, and delete custom security sink declarations that tell the scanner about additional security-sensitive operations in your code
- Custom Source Packs — browse curated bundles of source declaration templates, enable or disable individual templates or entire packs
- Custom Sink Packs — browse curated bundles of sink declaration templates, enable or disable individual templates or entire packs
- Integrations — read data from third-party integrations such as Wiz CSPM, including retrieving Wiz settings, listing Wiz projects, and searching Wiz cloud assets and network exposures
- Scanner Settings — configure scan modules, confidence thresholds, auto-patching, and file ignore patterns at org, repo, or app scope
- Stats — retrieve aggregate issue counts and scan activity by scope
Token Scopes
Tokens are organization-scoped. A token created under a specific organization grants access to all resources within that organization, subject to the same permissions as the user who created it. There is no fine-grained scope selection at token creation time — the token inherits the creating user’s permissions in the organization.Managing Tokens
From the API Tokens settings page, you can:- View all active tokens with their names, creation dates, and expiration dates.
- Delete tokens that are no longer needed or may be compromised.
Token Lifecycle
- Tokens have a fixed expiration date set at creation (1–365 days).
- Expired tokens are automatically rejected — there is no automatic renewal.
- When a token expires, create a new one and update your integrations.
- Token secrets are cryptographically hashed before storage — ZeroPath never stores the plaintext secret.
Best Practices
- Use descriptive names — name tokens after their purpose (e.g., “CI/CD Pipeline”, “VS Code Extension”, “MCP Server”).
- Set short expirations — use the shortest practical expiration for your use case.
- Rotate regularly — create new tokens and retire old ones on a schedule.
- Never commit tokens to source control — use environment variables or a secrets manager.
- One token per integration — avoid sharing a single token across multiple systems so you can revoke individually.
- Delete compromised tokens immediately — if a token may have been exposed, delete it and create a replacement.