Skip to main content

API Personal Access Tokens

Tailor API access to your needs

Updated yesterday

Create API tokens by role and by program

Personal access tokens (PAT) can be easily generated from YesWeHack platform and then used to authenticate any application (or user) on YesWeHack API, with a predefined set of rights, to either access or modify data.

How to generate a Personal Access Token (PAT)

First, let’s note that only users with one of the following role could generate PATs :

  • Business Unit Owner

  • Business Unit Manager

  • Program Manager

If you have one of the above role, once logged in on YesWeHack, find a Personal Access Token management page:

  • Click on “MyYesWeHack tools” in the drop down or the left-side menu

  • Then, click on “Create Token”

  • A creation form will prompt, so you could:

    • Name the PAT

    • Set its validity period and its extent (i.e. program(s) and type of access)

  • Select the “Business Unit or Program” and the “Role”

  • Click on “Create”

⚠️ When you validate the form : be careful and make sure to save the newly generated token, as it won’t be accessible afterwards.

From this same menu, you can view all your Personal Access Token(s) to check if they’re still valid and review their associated scopes and roles.

ℹ️ Learn more about roles and permissions here.

PAT’s validity

  • If you set an expiry date, you will receive a reminder notification 7 days before it expires;

  • If your membership to a given program (or BU) is revoked, your corresponding PATs will be automatically revoked as well;

  • You can revoke a PAT at any time.

⚠️ Important:

  • Mind the type of role granted with your PATs as it will affect the requests/actions you can perform through the API;

  • Comment sent on a report will appear with the name of the PAT Owner;

  • And lastly, traceability being of utmost importance, actions carried out through the API are identified as so in your AuditLogs and will show which Personal Access Token was used.

How to use it

ℹ️ Details on our API documentation, here.

In a nutshell, to use PATs, you just need to add the following header in your requests : X-AUTH-TOKEN : {personal_access_token}

Here is an example of a valid request using a PAT :

You wish to retrieve a new report in order to integrate it into your bug tracker.

#REQUEST EXEMPLE:
curl -X GET 'https://api.yeswehack.com/reports/48036' -H 'X-AUTH-TOKEN: YOUR_PAT' -H 'Accept: application/json'

PAT_Business_Unit_Manager:

{
  "id":48036,
  "local_id":"#YWH-PGM3604-378",
  "title":"CVE-1234-1234567 Use After Free (CWE-416) on invoice.yeswehack.com through /user/add/:id via GET parameter param ' GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 -- leads to Account Takeover",
  "scope":"yeswehack.com","currency":"EUR", ... 
}

PAT_Program_Manager:

{
  "id":48036,
  "local_id":"#YWH-PGM3604-378",
  "title":"CVE-1234-1234567 Use After Free (CWE-416) on invoice.yeswehack.com through /user/add/:id via GET parameter param ' GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 -- leads to Account Takeover",
  "scope":"yeswehack.com",
  "currency":"EUR", 
  ... 
}

PAT_Program_Manager_WITHOUT_ACCESS_TO_THIS_PROGRAM:

{
  "code":404,
  "message":"Not Found"
}

PAT_Program_Viewer:

{
  "id":48036,
  "local_id":"#YWH-PGM3604-378",
  "title":"CVE-1234-1234567 Use After Free (CWE-416) on invoice.yeswehack.com through /user/add/:id via GET parameter param ' GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 -- leads to Account Takeover",
  "scope":"yeswehack.com",
  "currency":"EUR", 
  ... 
}

As the Security Program Manager, I would like to retrieve all new reports from a specific program so I can triage them efficiently.

#REQUEST EXEMPLE: 
curl -X GET 'https://api.yeswehack.com/programs/3604/reports?status=new' \
  -H 'X-AUTH-TOKEN: YOUR_PAT' \ 
  -H 'Accept: application/json'

PAT_Business_Unit_Manager:

[
 {
  "id": 58110, 
  "local_id": "#YWH-PGM3604-410", 
  "title": "IDOR on /invoices/{id}", 
  "status": "new", 
  "severity": "high", 
  "currency": "EUR", 
  ... 
 }, 
 { 
  "id": 58111, 
  "local_id": "#YWH-PGM3604-411", 
  "title": "Open redirect on /auth/callback", 
  "status": "new", 
  "severity": "medium", 
  "currency": "EUR", 
  ... 
 } 
]

PAT_Program_Manager:

[
 { 
  "id": 58110, 
  "local_id": "#YWH-PGM3604-410", 
  "title": "IDOR on /invoices/{id}", 
  "status": "new", 
  "severity": "high", 
  "currency": "EUR", 
  ...
 }, 
 { 
  "id": 58111, 
  "local_id": "#YWH-PGM3604-411", 
  "title": "Open redirect on /auth/callback", 
  "status": "new", 
  "severity": "medium", 
  "currency": "EUR", 
  ... 
 } 
]

PAT_Program_Manager_WITHOUT_ACCESS_TO_THIS_PROGRAM:

{
 "code": 404, 
 "message": "Not Found" 
} 

PAT_Program_Viewer: 
[ 
 { 
  "id": 58110, 
  "local_id": "#YWH-PGM3604-410", 
  "title": "IDOR on /invoices/{id}", 
  "status": "new", 
  "currency": "EUR", 
  ... 
 }, 
 { 
  "id": 58111, 
  "local_id": "#YWH-PGM3604-411", 
  "title": "Open redirect on /auth/callback", 
  "status": "new", 
  "currency": "EUR", 
  ... 
 } 
]

As the Bug Tracker Integration Engineer, I would like to post a synchronization message on a report so that my team knows it has been linked to an external tracking system.

#REQUEST EXEMPLE: 
curl -X POST 'https://api.yeswehack.com/reports/48036/tracker-message' \ 
 -H 'X-AUTH-TOKEN: YOUR_PAT' \ 
 -H 'Content-Type: application/json' \ 
 -d '{ "message": "Report synced to JIRA-1234" }'

PAT_Business_Unit_Manager:

{ 
 "id": 93872, 
 "report_id": 48036, 
 "message": "Report synced to JIRA-1234", 
 "created_at": "2025-08-08T10:15:00Z", 
 "author": "PAT Owner", 
 ... 
}

PAT_Program_Manager:

{
 "id": 93872, 
 "report_id": 48036, 
 "message": "Report synced to JIRA-1234", 
 "created_at": "2025-08-08T10:15:00Z", 
 "author": "PAT Owner", 
 ... 
}

PAT_Program_Manager_WITHOUT_ACCESS_TO_THIS_PROGRAM:

{
 "code": 404, 
 "message": "Not Found" 
}

PAT_Program_Viewer:

{
 "code": 403, 
 "message": "Forbidden" 
}

As the ASM Product Manager, following a meeting with my infrastructure team, I would like to enable them to automatically add assets to ASM using their own tools.

#REQUEST EXEMPLE: 
curl -X POST 'https://api.yeswehack.com/asm/assets' \ 
 -H 'X-AUTH-TOKEN: YOUR_PAT' \ 
 -H 'Content-Type: application/json' \ 
 -d '{ "type": "DOMAIN", "value": "new-asset.yeswehack.com", "program_id": 3604 }'

PAT_Business_Unit_Manager:

{
 "id": 845, 
 "type": "DOMAIN", 
 "value": "new-asset.yeswehack.com", 
 "status": "pending_verification", 
 "program_id": 3604, 
 ... 
}

PAT_Program_Manager:

{
 "id": 845, 
 "type": "DOMAIN", 
 "value": "new-asset.yeswehack.com", 
 "status": "pending_verification", 
 "program_id": 3604, 
 ... 
}

PAT_Program_Manager_WITHOUT_ACCESS_TO_THIS_PROGRAM:

{
 "code": 404, 
 "message": "Not Found" 
}

PAT_Program_Viewer:

{
 "code": 403,
 "message": "Forbidden" 
}


Note that PAT for Bug Tracker are aimed to be used with:

ℹ️ To learn more about the BugTracker, you can check out this article.

With Personal Access Token, you can painlessly manage a large range of API use-cases.

ℹ️ Any question? Need help? Get in touch with our support team : [email protected]

Related Articles
YesWeHack x BugTracker
Did this answer your question?