Authentication
API Keys
WhiteHat APIs use API keys to authenticate requests. Each user account may generate a unique 32-character Web API Key, which is used to authenticate your API requests. You can create, view and manage your API keys in your Sentinel account. The Web API key is intended for use inside the applications that are accessing the API. It is not intended for accessing the API through your browser.
When making a request, failure to provide an API key, or provision of a wrong or outdated key, results in WhiteHat Security returning an error.
Protect your API Key
Your key is the equivalent of a user name and password that gives access to all your vulnerability data. Treat it as carefully as any other password. WhiteHat strongly recommends that you never use your API Key in your browser. It is only intended for use when accessing the API programmatically.
# Obtaining an API Key There are three methods of obtaining your API key: - Generating an API key in Sentinel with Sentinel password - Generating an API key in Sentinel with SSO - Using an API Call
Generating an API Key in Sentinel with Your Sentinel Password
- Log in to your WhiteHat Sentinel account, using either SSO or your username and password.
- Click on My Profile in the upper right of your Sentinel interface.
- In the My Profile page, select API Key from the three tabs displayed.

- Type your password into the Verify Password text field.
- Click Authenticate to display your key. If you have never requested your API key before, a key will be generated for you.
Generating an API Key in Sentinel with SSO
- Log in to your WhiteHat Sentinel account, using either SSO or your username and password.
- Click on My Profile in the upper right of your Sentinel interface.
- In the My Profile page, select API Key from the three tabs displayed.

- Your account requires additional authentication. Choose either Request Code by SMS or Request Code by Call. Your authentication code will be provided via the option selected.

- Ensure that the confirmation banner is displayed at the top of the screen, which confirms that the code has been sent.
- Once the code is received, type it into the Code field.
- Your key is now displayed in the API Key text field. If you have never requested your API key before, a new key will be generated for you.
Using an API Call
Alternatively you may use the following API along with your Sentinel password to request content. It should be noted that if you are using SSO and do not have a Sentinel password, this option is not supported.
PUT /api/user/{userID}/api_key
Regenerating Your API Key
From time to time, it may be necessary to regenerate your existing API key. Repeat the steps listed above, to display your existing API key. Then click Regenerate API key. Your new API key is displayed.
Using an API Key in Request Headers
With API key auth, you send a key-value pair to the API in the request headers parameter. The following is just one example of how your valid API key can be used to authenticate any request to the WhiteHat Security API.
Example: Using an API Key in Request Headers in Postman
- In your Postman application, click the request Authorization tab.

- Select API Key from the Type dropdown.
- Type your key name into the Key text field.
- Type or paste your API key into the Value text field.
- Select Header from the Add to dropdown.
You can store your values in variables for additional security. Postman will append the relevant information to your request Headers or the URL query string. Refer to the following link for security considerations when working with API keys in Postman:
Updated about 3 years ago