API tokens issued by the Manifest Platform use a scope-based permission model. When you create a token, you select one or more composite scopes — each of which bundles a set of granular ACL permissions that control what the token can do.
Security best practice: Always request only the minimum scopes necessary for your integration. Tokens are limited in duration and should be rotated regularly. Store tokens securely using environment variables (e.g. MANIFEST_API_KEY) rather than hardcoding them.
Authentication
All API requests require a Bearer token in the Authorization header:
Upload, enrich, merge, download, and delete SBOMs or VEX documents uploaded by any user in the organization. Also allows setting SBOM active/inactive status.
create:sbom-and-vex, delete:sbom-and-vex
Manage assets
manage-assets
Edit component data, change the active status of assets, and add/remove existing labels from assets.
update:asset, update:component
Manage labels
manage-labels
Create, apply, and delete labels. Labels can be applied to assets and products.
create:label, update:label, delete:label
Import OSS
import-oss
Import open source software repositories for analysis and tracking.
create:sbom-oss
Share SBOMs
share-sbom
Share SBOMs to external consumers via email or the portal (if enabled). Users can also merge and share.
create:sbom-share, delete:sbom-share
Request SBOMs
request-sbom
Send emails through Manifest to external customers or vendors requesting them to upload an SBOM.
create:sbom-request
Vulnerability Management
Scope Name
Identifier
Description
Granular Permissions Granted
Triage vulnerabilities
manage-vulnerability-triage
Set a triage status and scope for a vulnerability on any asset.
Each composite scope above maps to one or more granular ACL permissions. Our API documentation lists all available granular permissions, their associated API endpoint, and HTTP method for reference.