Managing API Tokens

Notice as of August 11, 2025: Manifest is transitioning to user level tokens. Organization level tokens will be fully deprecated after the last org level token expires for users.

Creating a New API Token

Go to Settings -> Account -> API Tokens
Click the "Create new token" button in the top right.
Fill in your token details:
- Token name (*Please note that this must be a unique name)
- Description (Optional)
- Scope selection
- Expiration length.
  - All Manifest API Tokens expire within 1 year. We highly recommend setting the expiration time to <3 months for security reasons. Reminders will be sent to your email as the expiration date approaches.
Click "Create" to generate your token and make sure you to save it immediately.

❗️
Copy your API token immediately and store it securely - you won't be able to see it again after leaving this screen.

Using Your API Token

Once you've created your token, you can use it to:

Authenticate the Manifest CLI
Set up Github Actions
Configure automated SBOM and AIBOM workflows using our APIs: https://api-docs.manifestcyber.com/

For security reasons, we recommend that each integration should use a unique API token so you can track and manage access individually.

FAQs

What happens to my tokens if my role changes? If a role is downgraded in permissions, for security reasons, the user's tokens will be deleted.

How do I upload an SBOM to a specific sub-organization?

     1. Generate a unique API token for each sub-organization you have access to. 
     2. Use that token when making requests for the corresponding sub-organization. 

     👉 Using tokens this way removes the need to pass an (sub)organization ID as a parameter.