Skip to main content

Overview

API tokens allow you to access the ZeroPath API programmatically — from CI/CD pipelines, the CLI, the VS Code extension, the MCP server, or custom integrations.

Creating Tokens

  1. Navigate to Settings → API Tokens in the ZeroPath dashboard (zeropath.com/app/settings/api).
  2. Click “Create Token”.
  3. Provide a name (optional, for identification).
  4. Set an expiration (1–365 days, default: 30 days).
  5. Click Create.
  6. Copy the Token Secret immediately — it is shown only once and cannot be retrieved later.
You’ll receive two values:
  • Token ID — a UUID identifying the token (safe to log).
  • Token Secret — the secret key (treat like a password).

Authentication Headers

Every API request must include both headers: 
X-ZeroPath-API-Token-Id: <your-token-id>
X-ZeroPath-API-Token-Secret: <your-token-secret>

Example

curl -X POST https://zeropath.com/api/v1/scans/list \
  -H "Content-Type: application/json" \
  -H "X-ZeroPath-API-Token-Id: your-token-id" \
  -H "X-ZeroPath-API-Token-Secret: your-token-secret" \
  -d '{"organizationId": "your-org-id"}'

Token Scopes

Tokens are organization-scoped. A token created under a specific organization grants access to all resources within that organization, subject to the same permissions as the user who created it. There is no fine-grained scope selection at token creation time — the token inherits the creating user’s permissions in the organization.

Managing Tokens

From the API Tokens settings page, you can:
  • View all active tokens with their names, creation dates, and expiration dates.
  • Delete tokens that are no longer needed or may be compromised.
Tokens cannot be edited after creation. To change a token’s expiration or name, delete it and create a new one.

Token Lifecycle

  • Tokens have a fixed expiration date set at creation (1–365 days).
  • Expired tokens are automatically rejected — there is no automatic renewal.
  • When a token expires, create a new one and update your integrations.
  • Token secrets are cryptographically hashed before storage — ZeroPath never stores the plaintext secret.

Best Practices

  1. Use descriptive names — name tokens after their purpose (e.g., “CI/CD Pipeline”, “VS Code Extension”, “MCP Server”).
  2. Set short expirations — use the shortest practical expiration for your use case.
  3. Rotate regularly — create new tokens and retire old ones on a schedule.
  4. Never commit tokens to source control — use environment variables or a secrets manager.
  5. One token per integration — avoid sharing a single token across multiple systems so you can revoke individually.
  6. Delete compromised tokens immediately — if a token may have been exposed, delete it and create a replacement.