Create a Personal Cobalt API Token
To authenticate to the Cobalt API, you need an access token.
The pages in this section describe how you can work with the Cobalt platform using our API.
The Cobalt RESTful API gives you access to your assets, pentests, findings, and more. With our API, you can integrate Cobalt into your development and application security workflows—and automate your pentest processes.
Here are some examples of how you can scale your workflows:
Read our comprehensive API documentation to learn how to send specific API requests and view examples.
To work with the Cobalt API, you need a personal API access token.
Because most API calls are scoped to a specific organization, you also need to include an organization token in a request header.
This document assumes that you can run curl
in a command line on your system.
You can also set up the REST calls in this book in other API clients such as Postman or Insomnia.
If you run curl
from the command line, we recommend that you use the
jq
command line JSON processor to format output.
Without the | jq .
, you may have output that looks like:
{"pagination":{"next_page":null,"prev_page":null},"data":[{"resource":{"id":"YOUR-ORG-ID","name":"ORG-NAME","token":"YOUR-V2-ORGANIZATION-TOKEN"},"links":{"ui":{"url":"URL-WITH-YOUR-PENTESTS"}}}]}
If you add a | jq .
to the end of your REST call, you may find it easier to
read the output:
{
"pagination": {
"next_page": null,
"prev_page": null
},
"data": [
{
"resource": {
"id": "YOUR-ORG-ID",
"name": "ORG-NAME",
"token": "YOUR-V2-ORGANIZATION-TOKEN"
},
"links": {
"ui": {
"url": "URL-WITH-YOUR-PENTESTS"
}
}
}
]
}
For your convenience, we include | jq .
in all of our sample REST calls that
provide actual output.
To authenticate to the Cobalt API, you need an access token.
Learn how to retrieve an organization token using the API.
You can revoke API tokens if needed.
Run this sequence of REST calls to create an asset.
Learn how to retrieve all findings using the Cobalt API and import them to Google Sheets.