Skip to main content
This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

API Settings Overview

The Invicti Enterprise API lets client applications view and manipulate scan tasks, view issues, create scan agents, and much more. This article explains how to access your API credentials, including your User ID and API Token, and how to reset the API Token. It also provides a quick start guide to help you build and make an API call, along with information about rate limits, status codes, and errors.

tip

To understand how the APIs work, it is highly recommended that you familiarize yourself with the Invicti workflow for scanning web applications. For more information, refer to Web Application Security Scanning Flow.

Accessing the API documentation

The API documentation is built with the OpenAPI (formerly Swagger) specification. To view all endpoints and parameters, refer to Invicti Enterprise API Documentation.

Base URL

The base URL is https://www.netsparkercloud.com/api/1.0.

The path and query parameters depend on the endpoint of your request. For example, the scan list is reachable with the following API call: https://www.netsparkercloud.com/api/1.0/scans/list.

Authentication

When you make any calls to the API, you need to provide your User ID and API Token. You can find your user ID and authentication token in your user profile. Authentication to the API occurs via HTTP Basic Access Authentication.

The following is an example using the authentication token through cURL:

curl -u "USERID:API-TOKEN" https://www.netsparkercloud.com/api/1.0/scans/list

How to access your API credentials

  1. Log in to Invicti Enterprise.
  2. Select [Your Name] (top right of the window) > API Settings.
API Settings page
  1. Enter your Current Password.
note

If you are using Single Sign-On, Invicti Enterprise displays the API Settings page without asking for your password. If Single-Sign-On is enabled but you are still prompted to enter a password on the API Settings page then you need to adjust your Single Sign-On Settings.

  • Go to Settings > Single Sign-On.
  • Select the Enforce to authenticate only with single sign-on checkbox.
  1. Click Submit to view your User ID and Token.
User ID and API Token display

How to reset the API token

  1. Log in to Invicti Enterprise.
  2. Select [Your Name] (top right of the window) > API Settings.
  3. Enter your Current Password, then click Submit.
  4. Click Reset API Token.
Reset API Token button
  1. Select Reset API Token to confirm.
Reset API Token confirmation dialog

Quick Start Guide

For this quick start guide, we make an API call to /api/1.0/account/me to get details about the user.

Before you can start using the API, you need the following:

  • An Invicti Enterprise account.
  • Your User ID and Token.
  • Ensure you have curl installed on your machine.

How to get your information via an API call

Build your API call

Your API call must have the following components:

  • The base URL: https://www.netsparkercloud.com/api/1.0
  • An Authentication: User ID and Token.
  • A request.

Make the API call

curl -u "User ID:Token" https://www.netsparkercloud.com/api/1.0/account/me
  1. Copy the curl example above.
  2. Open your favorite text editor.
  3. Paste the curl example into the text editor.
  4. Get your User ID and Token. For further information, refer to Authentication.
  5. In the curl example, replace the User ID and Token with your credentials.
  6. Copy the API call that has your authentication information.
  7. Open a command prompt window.
  8. Into the command prompt, paste the API call.
  9. Press Enter.
API call example in command prompt

Methods

Invicti Enterprise supports the following methods in API calls:

  • GET — This method is for retrieving information.
  • POST — This method is for creating new resources, updating the status, or deleting.

Rate limits

There is a throttling limit for API endpoints. All endpoints share the same rate limit, except for the allissues and summary endpoint.

The following table shows the rate limits:

Throttle LimitsMinute LimitHourly LimitDaily Limit
All endpoints200n/an/a
/issues/allissues /issues/summary1060014400

Tips and troubleshooting

Invicti Enterprise does not support partial API calls. To update any object, for example, a scan profile object, do the following:

  1. Make a GET request for the scan profile you want to update.
  2. Update parameters.
  3. Make a POST request to update the scan profile with new parameters.

Status codes and errors

CodeDescriptionExplanation
200OKSuccess.
201CreatedThe request succeeded and a new resource was created.
400BadRequestThe server could not understand the request because of the invalid syntax.
401UnauthorizedAccess is denied.
403ForbiddenThe client does not have access rights to the content. It is unauthorized.
404NotFoundThe server cannot find the requested resource.
429Too Many RequestsThe user has sent too many requests in a given amount of time ("rate limiting").
500Internal Server ErrorThe server has encountered a situation it does not know how to handle.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?