Skip to main content

Create an API only user

Create an API Only user account that you can use for all plugins or integrations.

Best practice: Add a user account that's only purpose is for use with plugins and integrations. Doing so avoids a situation where a user leaves and you delete that user's account. The deletion of that account would result in breaking the plugins and integrations that you use.

An API only account does not receive email notifications, even if the notification settings are turned on.

Before you begin

  • An Organization Admin role is required.

  • API Only users can access Contrast's REST API but cannot log in to the Contrast web interface.

  • If you configured your organization to use SAML-based single sign-on (SSO), you can still create an API only user.


To create an API only user:

  1. From the user menu, select Organization settings.

  2. Select Users.

  3. Select Add User.

  4. Enter the user name , email address, and time zone information.

  5. Select the Role.

    Best practice: Select Edit for the Organization role to give the user the least permissive role.

    It is not recommended to give API only users Admin permissions.

  6. Select an Application access group.

    Best practice: Select View or Edit for the Application access group. Depending on the API endpoints you want to call, and if you are trying to GET (read) or POST (write), the API only user might require the higher Edit permission instead of View.

  7. Select the API only checkbox.



    Selecting the API only checkbox overrides the Access option, if it's enabled. API only users have no access to the Contrast web interface.

  8. In Organization Settings > Users, verify that you can see with new user with the API Only label next to the name.

  9. If you are using access groups to restrict access to specific applications, add the API only user to the groups for the applications that you want the API user to access. Verify access by looking at Permissions in the user profile.

  10. To use the API only user account, get the connection strings:

    1. From the user menu, select Organization settings.

    2. Select Users.

    3. Hover over the API only label next to the user's name and copy the displayed Service key.

    4. Create the Authorization header with a command similar to this example:

      echo -n ‘[email address of the API only account:Service Key]’ | base64