API Personal Access Tokens

Create API tokens by role and by program.

Personal access tokens (PAT) can be easily generated from YesWeHack platform and then used to authenticate any application (or user) on YesWeHack API, with a predefined set of rights, to either access or modify data.

How to generate a Personal Access Token (PAT)

First, let’s note that only users with one of the following role could generate PATs :
- Business Unit Owner
- Business Unit Manager
- Program Manager

If you have one of the above role, once logged in on YesWeHack, you will find a Personal Access Token management page in your '[USERNAME] menu' (top-right) > 'MyYesWeHack tools'.

Then, if you click on ‘Create Token’, a creation form will prompt so you could name the PAT, set its validity period and its extent (i.e. program(s) and type of access).

Now, when you validate the form : be careful and make sure to save the newly generated token, as it won’t be accessible afterwards.

You will find the list of your Personal Access Token(s) from this same menu, to make sure it’s still valid or double check the associated scope(s) and role(s).

Notes regarding PAT’s validity:
- If you set an expiry date, you will receive a reminder notification 7 days before its expiration;
- If your membership to a given program (or BU) is revoked, your corresponding PATs will be automatically revoked as well;
- You may revoke a PAT at any time.

How to use it

You will find some details on our API documentation here
Please note that when you use PAT instead of OAuth2 flow, you shall use ‘api.yeswehack.com’ instead of ‘apps.yeswehack.com’.

In a nutshell, to use PATs, you just need to add the following header in your requests : X-AUTH-TOKEN : {personal_access_token}

Here is an example of valid request with PAT :

Important notes:

  • Mind the type of role granted with your PATs as it will affect the requests/actions you can perform through the API
  • Only requests for the following endpoints can be made :
    • /programs/*
    • /reports/*
  • And lastly, traceability being of utmost importance, actions carried out through the API are identified as so in your Audit Logs and will show which Personal Access Token was used:

With Personal Access Token, you can painlessly manage a large range of API use-cases.

Any question? Need help? Get in touch with our support team : support@yeswehack.com