API Token Scopes Reference

API tokens issued by the Manifest Platform use a scope-based permission model. When you create a token, you select one or more composite scopes — each of which bundles a set of granular ACL permissions that control what the token can do.

Security best practice: Always request only the minimum scopes necessary for your integration. Tokens are limited in duration and should be rotated regularly. Store tokens securely using environment variables (e.g. MANIFEST_API_KEY) rather than hardcoding them.

Authentication

All API requests require a Bearer token in the Authorization header:

Authorization: Bearer <your-api-token>
Content-Type: application/json

Tokens are generated from Settings → Account → API Tokens in the Manifest app.

Composite Scopes

Core Access

Scope Name	Identifier	Description	Granular Permissions Granted
View all pages and data	`view-all`	Allows read access to all platform data except pages that require additional permissions. Required for all tokens.	`read:vulnerability`, `read:user`, `read:sla`, `read:sbom-share`, `read:sbom-request`, `read:sbom-oss`, `read:sbom-and-vex`, `read:product`, `read:organization-alert`, `read:license`, `read:label`, `read:integration`, `read:enrichment-setting`, `read:custom-vulnerability`, `read:component`, `read:asset-vdr-report`, `read:asset-pdf-report`, `read:asset`, `read:ai-risk-policy`, `read:ai-model-inventory`, `read:ai-model-analysis`, `read:ai-model`

SBOM & Asset Management

Scope Name	Identifier	Description	Granular Permissions Granted
Manage SBOMs and VEX	`manage-sboms-and-vex`	Upload, enrich, merge, download, and delete SBOMs or VEX documents uploaded by any user in the organization. Also allows setting SBOM active/inactive status.	`create:sbom-and-vex`, `delete:sbom-and-vex`
Manage assets	`manage-assets`	Edit component data, change the active status of assets, and add/remove existing labels from assets.	`update:asset`, `update:component`
Manage labels	`manage-labels`	Create, apply, and delete labels. Labels can be applied to assets and products.	`create:label`, `update:label`, `delete:label`
Import OSS	`import-oss`	Import open source software repositories for analysis and tracking.	`create:sbom-oss`
Share SBOMs	`share-sbom`	Share SBOMs to external consumers via email or the portal (if enabled). Users can also merge and share.	`create:sbom-share`, `delete:sbom-share`
Request SBOMs	`request-sbom`	Send emails through Manifest to external customers or vendors requesting them to upload an SBOM.	`create:sbom-request`

Vulnerability Management

Scope Name	Identifier	Description	Granular Permissions Granted
Triage vulnerabilities	`manage-vulnerability-triage`	Set a triage status and scope for a vulnerability on any asset.	`create:vulnerability-triage`, `read:vulnerability-triage`
Manage custom vulnerabilities	`manage-custom-vulnerabilities`	Add and update custom vulnerabilities for the organization's vulnerability database.	`create:custom-vulnerability`, `update:custom-vulnerability`

Products & Reporting

Scope Name	Identifier	Description	Granular Permissions Granted
Manage products	`manage-products`	Modify and delete products, add existing labels, and add/remove existing labels to products.	`create:product`, `update:product`, `delete:product`
Export reports	`export-reports`	Download Asset or Vulnerability Reports and VDRs.	`create:product-vdr-report`
Create tickets	`create-tickets`	Create tickets anywhere a ticketing integration is enabled in the application.	`create:ticket`
Manage licenses	`manage-licenses`	View and manage license data for the organization.	`update:license`

AI Risk

Scope Name	Identifier	Description	Granular Permissions Granted
Manage AI model inventory	`manage-ai-model-inventory`	View and add AI models to the model inventory.	`update:ai-model-inventory`
Manage AI model requests	`manage-ai-model-requests`	View, create, and approve or reject model inventory requests.	`create:ai-model-request`, `update:ai-model-request`
Manage AI model analyses	`manage-ai-model-analyses`	View and create AI model analyses.	`create:ai-model-analysis`
Manage AI risk policies	`manage-ai-risk-policies`	View and modify AI Policies set by the organization.	`update:ai-risk-policy`

Organization Administration

⚠️
Warning: The following scopes grant elevated privileges. Assign only to tokens used by trusted, administrative workflows.

Scope Name	Identifier	Description	Granular Permissions Granted
Manage settings	`manage-settings`	Manage all organization-level settings, upload settings, SLAs, alerts, and the sharing portal.	`update:policy`, `create:policy`
Manage people	`manage-people`	Invite, edit, and revoke access for other users.	`create:user`, `read:user`, `update:user`, `delete:user`
Manage sub-organizations	`manage-sub-organizations`	View, create, edit, and delete sub-organizations under a parent organization. Applicable only for parent orgs.	`create:sub-organization`, `read:sub-organization`, `update:sub-organization`, `delete:sub-organization`

Granular Permission Reference

Each composite scope above maps to one or more granular ACL permissions. Our API documentation lists all available granular permissions, their associated API endpoint, and HTTP method for reference.

API Docs: api-docs.manifestcyber.com
View all permissions in the platform: app.manifestcyber.com/settings/account/api-tokens/create

Common Integration Patterns

The following scope combinations are recommended for common API use cases:

Use Case	Recommended Scopes
CI/CD SBOM upload	`view-all`, `manage-sboms-and-vex`
Read-only vulnerability reporting	`view-all`, `export-reports`
Custom vulnerability ingestion	`view-all`, `manage-custom-vulnerabilities`
Vulnerability triage automation	`view-all`, `manage-vulnerability-triage`
AI model tracking (MAIS plugin)	`view-all`, `manage-ai-model-inventory`, `manage-ai-model-analyses`
Full admin / programmatic org management	All scopes (admin tokens only)

Related Resources

Getting Started: Manifest API
Managing API Tokens
Managing Roles
Full REST API Reference

Updated 1 day ago