Access tokens
An access token is a secure credential used to authorize requests to Semgrep AppSec Platform or the Semgrep API without a username and password. Each token is associated with a specific Semgrep account and has a defined set of scopes that determine the permissions granted to its bearer.
Types of access tokens
Semgrep uses the following types of access tokens:
- API tokens
- CLI tokens
- Service tokens
API tokens
API tokens can be created by admins and are used for calls to the Semgrep API and to set up third-party integrations. For auditing purposes, API tokens are associated with the user who created them. However, they remain valid until manually revoked, even if the creator is no longer associated with the deployment.
CLI tokens
CLI tokens authenticate users who run scans or publish rules from the Semgrep CLI. Both members and admins of a deployment can create CLI tokens. The CLI token allows users to run scans on their local machine using the semgrep ci command. This sends findings data to Semgrep AppSec Platform. It also allows users to publish rules using semgrep publish.
For auditing purposes, Semgrep records the user who generated the CLI token, but the user's actions are attributed to the token rather than the user.
Logging out of the Semgrep CLI with semgrep logout removes the local token, but it does not invalidate it.
Service tokens
Service tokens are functionally the same as API tokens, but instead of being manually generated by a user, they are automatically generated during repository onboarding for CI/CD scans or when repositories are added to Semgrep AppSec Platform. These tokens authenticate agents running automated scans. The default scope for these tokens is Agent/CI, but admins can edit the token and grant them the API scope as well.
Token scopes
The following table displays the scopes assigned to each token:
| Token | Send findings from a remote repository | Send findings from a local repository | Connect to Semgrep API |
|---|---|---|---|
| API | ❌ No | ❌ No | ✔️ Yes |
| CLI | ❌ No | ✔️ Yes | ❌ No |
| Service (CI) | ✔️ Yes | ✔️ Yes | ❌ No |
The following table displays typical uses for token scopes:
| Token | Use |
|---|---|
| API | Used to access Semgrep's API |
| CLI | Auto-generated by Semgrep when a user is logging in through Semgrep CLI. Use this token to scan your code locally using your organization's configured policies, including private rules. |
| Service (CI) | Generated by Semgrep when onboarding (adding) a repository to Semgrep AppSec Platform. |
View and manage tokens
You can view a list of tokens for your deployment in Semgrep AppSec Platform under Settings > Tokens.
Each token type has its own page that lists all existing tokens of that type. Use the search bar to help find a specific token.
For API tokens, you can use the drop-down menu to view only those tokens associated with specific roles, such as Admin or Member.
For Service tokens, you can use the drop-down menu to view tokens for specific services, such as Semgrep Managed Scans, Click to Fix, or AI Scan.
Create an API token
- Sign in to Semgrep AppSec Platform.
- Go to Settings > Tokens > API tokens.
- Click Create new token.
- Copy the Secrets name and the Secrets value, and save these values. The Secrets value is your token and is only shown at this time.
- Select the Token scopes.
- Optional: change the Name of the token. This is the value used in the list of tokens associated with your Semgrep deployment.
- Click Save to proceed.
Create a CLI token
Once you've set up the Semgrep CLI, create a CLI token by running the following command:
semgrep login
Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed. In the Semgrep CLI login window, click Activate to proceed.
Edit a token
- Sign in to Semgrep AppSec Platform.
- Go to Settings > Tokens.
- Go to one of the following pages based on the type of token you're interested in: API tokens, CLI tokens, or Semgrep service tokens.
- Find the token, and click Edit.
- In the dialog that appears, change the Token scopes or the displayed Name.
- Click Save to proceed.
Revoke a token
- Sign in to Semgrep AppSec Platform.
- Go to Settings > Tokens.
- Go to one of the following pages based on the type of token you're interested in: API tokens, CLI tokens, or Semgrep service tokens.
- Find the token, and click Revoke.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.