Cobalt API

Includes practical uses for our API.

The pages in this section describe how you can work with the Cobalt platform using our API.

Introducing the Cobalt API

The Cobalt RESTful API gives you access to your assets, pentests, findings, and more. With our API, you can integrate Cobalt into your development and application security workflows—and automate your pentest processes.

Here are some examples of how you can scale your workflows:

  • Retrieve findings that our pentesters discovered during a pentest.
  • Pull findings into your security dashboard to perform a holistic internal analysis.
  • Integrate findings into your data visualization tool for a comprehensive view of your vulnerability and application landscape.

Read our comprehensive API documentation to learn how to send specific API requests and view examples.

Go to API Docs »


To work with the Cobalt API, you need a personal API access token.

Because most API calls are scoped to a specific organization, you also need to include an organization token in a request header.

Format JSON Responses

This document assumes that you can run curl in a command line on your system. You can also set up the REST calls in this book in other API clients such as Postman or Insomnia.

If you run curl from the command line, we recommend that you use the jq command line JSON processor to format output.

Without the | jq ., you may have output that looks like:


If you add a | jq . to the end of your REST call, you may find it easier to read the output:

  "pagination": {
    "next_page": null,
    "prev_page": null
  "data": [
      "resource": {
        "id": "YOUR-ORG-ID",
        "name": "ORG-NAME",
        "token": "YOUR-V2-ORGANIZATION-TOKEN"
      "links": {
        "ui": {
          "url": "URL-WITH-YOUR-PENTESTS"

For your convenience, we include | jq . in all of our sample REST calls that provide actual output.

Create a Personal Cobalt API Token

To authenticate to the Cobalt API, you need an access token.

Get an Organization Token

Learn how to retrieve an organization token using the API.

Revoke Your Personal Cobalt API Tokens

You can revoke API tokens if needed.

Create or Modify an Asset

Run this sequence of REST calls to create an asset.

Retrieve Findings and Import Them to Google Sheets

Learn how to retrieve all findings using the Cobalt API and import them to Google Sheets.

Was this page helpful?

Yes No Create an Issue

Last modified September.09.2023