Skip to content

Managing API Settings

The Non-Employee Risk Management API allows you and your applications to leverage product features programmatically. For example, you can use the API to support application integrations or to upload profile data.

You can use personal access tokens and API keys to allow API clients to integrate with Non-Employee Risk Management. To access the APIs, go to the SailPoint Developer Community.

Important

Personal Access Tokens in Non-Employee Risk Management provide enhanced security and are recommended instead of API keys. Tenants created after June 2025 will be required to use Personal Access Tokens generated within ISC.

Authenticate Using a Personal Access Token

A personal access token is a set of user credentials that an API client can use to connect to Non-Employee Risk Management. Tokens improve integration security by replacing the need to store the user's username and password in your client application.

Non-Employee Risk Management authenticates personal access tokens against their user permissions. Only Non-Employee Risk Management Admin users are authorized to access the Non-Employee Risk Management API.

For more information about personal access tokens, refer to the SailPoint Developer Community.

Notes

  • API calls made with a user's personal access token must follow the network and trusted geography requirements defined in their Identity Security Cloud identity profile.
  • Personal access tokens created within Identity Security Cloud are valid for a maximum of 6 months regardless of the last used date, and are automatically deleted once expired.

Generating a New Personal Access Token

To create a personal access token:

  1. Within Identity Security Cloud, select Preferences from the dropdown list under your username.

  2. Select Personal Access Tokens from the left menu and select New Token.

    Note

    Each user can have up to 10 personal access tokens.

  3. Specify where this token will be used in the What is this token for? field. This can help you recognize when a token is no longer needed and can be deleted from Identity Security Cloud.

  4. Do not select a scope. The default scope will be assigned.

  5. Select Create Token at the bottom of the window to generate and view the Secret and the Client ID.

    Important

    Copy and save the Secret and Client ID values before you close this panel. Otherwise, you will have to delete the token and create a new one since these values cannot be retrieved later.

  6. Save the Secret and Client ID somewhere safe.

You can now use this personal access token. For additional guidance on managing Personal Access Tokens in Identity Security Cloud, refer to Managing Personal Access Tokens.

Authenticate Using an API Key

An API key is a set of user credentials that an API client can use to connect to Non-Employee Risk Management.

Important

Personal Access Tokens in Non-Employee Risk Management provide enhanced security and are recommended instead of API keys. Tenants created after June 2025 will be required to use Personal Access Tokens generated within ISC.

Generating a New API Key

You can generate multiple API keys to fulfill individual use cases, making it easier to track API activity.

To manage and review API activity and keys:

  1. Within Non-Employee Risk Management, go to Admin > System > Api in the left navigation.

    The KEYS and SETTINGS tabs are displayed.

  2. Select + Api Key.

  3. In the Name field, enter a unique name for the key and select create.

    A token is automatically generated and the key appears in the list of API keys. All API keys are displayed here, regardless of the admin who created them.

Managing Existing API Keys

You can update the names of existing API keys, delete them, or view their transaction history from the list of API keys.

To manage existing API keys:

  1. Within Non-Employee Risk Management, go to Admin > System > Api.

  2. To edit a specific API key, select the name of the key you want to edit.

    The INFO tab is displayed.

  3. To edit the API key's name, update the information in the Name field and select save.

  4. To review authentication requests submitted to the API gateway using this key, select the TRANSACTIONS tab.

    GET requests are not listed in this tab because they do not alter data.

Deleting an API Key

You can delete an API key if it is no longer needed.

To delete an API key:

  1. Within Non-Employee Risk Management, go to Admin > System > Api.

  2. Select the checkbox beside each key you want to delete.

  3. Select the ellipsis icon and select Delete.

  4. Select Delete. Your API keys and their transaction histories are permanently deleted.

Updating API Security Settings

You can specify the IP addresses that can make API requests for your environment.

To update your API's security settings:

  1. Within Non-Employee Risk Management, go to Admin > System > Api.

  2. Select the SETTINGS tab.

  3. Under IP WHITELIST, in the Permitted ips section, enter an IP address that should be allowed to make API calls.

  4. Select the Add to list icon .

  5. Repeat steps 3 and 4 until the Permitted ips list contains all IP addresses that should be allowed to access your environment's APIs.

    Select the Delete icon beside an IP address to remove it from the list.

  6. Select save.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.