Skip to main content

Welcome

CybeDefend is an advanced API designed for application security analysis. It provides a comprehensive solution for managing users, organizations, and projects. With secure authentication and granular permission management, CybeDefend excels in static, dynamic, and Infrastructure as Code security analyses (SAST, DAST, IaC, etc.).

Base URLs

Requests are region-specific. Use the URL matching your organization’s region:
RegionAPI base URL
EUhttps://api-eu.cybedefend.com
UShttps://api-us.cybedefend.com

Authentication

All API requests require a valid short-lived JWT Bearer token passed in the Authorization header: 
Authorization: Bearer <access_token>
Access tokens are obtained by exchanging a Personal Access Token (PAT) through the CybeDefend identity provider.

Obtaining an Access Token (PAT → JWT)

The exchange is performed against the region-specific authentication domain:
RegionAuth URL
EUhttps://auth-eu.cybedefend.com
UShttps://auth-us.cybedefend.com
The token exchange requires the CLI application ID (appId). Only the CLI client is authorized to exchange a PAT for an access token — other clients (VS Code, IntelliJ) use a browser-based OAuth flow and have separate app IDs.

Step 1 — Retrieve the CLI Application ID

Fetch the current app IDs for your region: 
# EU
curl https://api-eu.cybedefend.com/client-apps

# US
curl https://api-us.cybedefend.com/client-apps
Example response: 
{
  "cli": {
    "appId": "fm90ay05zohu8fk2q45ms"
  },
  "vscode": {
    "appId": "r84p1y100lf9hgvoey40c"
  },
  "intellij": {
    "appId": "t40evldybv8uh97gsu7u1"
  }
}
The CLI appId to use:
RegionCLI appId
EUfm90ay05zohu8fk2q45ms
US7o6r9cvvi8um0kisvn7hm
These values are provided as a reference. Always verify against the live /client-apps endpoint before using them — the app ID may change between releases.

Step 2 — Exchange Your PAT for an Access Token

Send a POST request to the /oidc/token endpoint of your region’s auth domain, using the urn:ietf:params:oauth:grant-type:token-exchange grant type: 
curl -X POST https://auth-eu.cybedefend.com/oidc/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
  -d "client_id=fm90ay05zohu8fk2q45ms" \
  -d "subject_token=YOUR_PAT" \
  -d "subject_token_type=urn:logto:token-type:personal_access_token" \
  -d "resource=https://api-eu.cybedefend.com"
Example response: 
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "openid profile email"
}

Step 3 — Call the API

Use the access_token from the response as a Bearer token in all subsequent requests: 
curl https://api-eu.cybedefend.com/organizations \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
Access tokens expire after 10 minutes. Repeat the exchange in Step 2 to obtain a fresh token.

API Key — Deprecated

API Keys are fully deprecated and no longer functional. The X-API-Key header and all API key-based authentication have been removed. Please use Personal Access Tokens (PAT) as described above.