What Is It?

The BaseFortify OAuth2 REST API gives developers secure, direct access to your infrastructure and vulnerability data. It supports full Authorization Code and Refresh Token flows for integrating BaseFortify with your own dashboards, scripts, or automation pipelines. All responses are returned as clean, standards-compliant JSON over HTTPS.

Automate node provisioning, synchronize your component inventory, or track vulnerability changes across your organization — all without logging into the web interface.

Who Can Use It?

Every registered BaseFortify customer can use the API. Public /health endpoints require no authentication, while all other routes require either a valid session or an OAuth2 Bearer token. Tokens can be generated directly from your BaseFortify account or dynamically via the OAuth2 /authorize and /token endpoints.

Key Endpoints

• Authorize — POST /api/v1/auth/authorize — begin an OAuth2 authorization code flow
• Token — POST /api/v1/auth/token — exchange authorization codes or refresh tokens for access tokens
• Nodes — create, list, and manage your BaseFortify nodes
• Components — register, track, and update software or hardware items
• Threats — view, update, and archive detected vulnerabilities
• Profile — GET /api/v1/auth/profile — retrieve user and scope details for an active token
• Health — check service availability for each API group

Base URL & Versioning

All calls begin with this prefix:

https://api.basefortify.eu/api/v1/

For example, GET /api/v1/auth/health returns basic metadata about the authentication service.

Authentication

Include your access token in the Authorization header for protected endpoints:

Authorization: Bearer <your-access-token>

Tokens are issued per user and expire automatically. Use refresh tokens to renew access without manual intervention. Client registration and token issuance follow the OAuth2 specification, ensuring compatibility with existing tools.

Getting Started

1. Log in to your BaseFortify account (or create one here).
2. Register an API client under User Settings → API Clients.
3. Use your client_id and client_secret to request tokens via the OAuth2 flow.
4. Explore the interactive API documentation for live examples and schemas.

Development Notes

• Tokens are persisted securely in our backend database, never exposed to third parties.
• Each client can define scopes to limit access to specific resource groups.
• OAuth2 refresh tokens can be revoked or rotated per user for compliance or incident response.
• The API is designed for both automation and third-party integration—ideal for monitoring, auditing, and reporting pipelines.

Why It Matters

The BaseFortify API makes your vulnerability intelligence portable and actionable. Integrate findings directly into your CMDB, SIEM, or ticketing workflows. Build dashboards that reflect your real-time exposure, or automate mitigation tasks through custom scripts.

Built entirely in-house and hosted in Europe, the API runs independently of large tech ecosystems — ensuring privacy, transparency, and control over your organization’s data.