Generate an API Token

1. Log in to the Apono App or User Portal.

2. Click the Profile icon in the bottom left corner.

3. Click Settings and then Personal API Token to view your API tokens.

1. Click the Add API Token button to generate a new token.

2. Give the new token a name and click Generate New Token.

Use the API Token

When using any Apono API endpoint, you will be asked to authenticate with one of your tokens. Add this to your request header:

If you are accessing endpoints under the /user/ path, the end user must generate the authenticated token. These endpoints are designed for actions that reflect the permissions and context of the individual user making the request.

To enable API token generation for end users, please contact Apono Support at [email protected].

This capability must be explicitly enabled for your organization before end users can generate their tokens.

Identity attribute types define how Apono identifies and evaluates identities in access flows. These types represent built-in identities (like users or groups) or custom attributes integrated from context integrations.

The available types vary depending on your account configuration and connected identity sources. To view the exact list of supported types, run the discovery script below.

As part of the continuous development of Apono’s Public API, we are introducing new Admin and End User endpoints.

Why Should You Try It Out?

We’ve released new API endpoints designed to bring greater alignment with Apono’s platform capabilities. These improvements make it easier to automate access management and use Apono.

Key Improvements

Access Management

Access Flows

• Support for advanced access flows with richer logic for requestors, approvers, and new settings aligned with what’s available in Apono’s UI, so you can replicate complex access governance policies entirely via API.

Access Scopes

• Access Scopes Support: Define and use access scopes directly within bundles and access flows, allowing you to save and use dynamic, reusable groups of resources.

RBAC User Roles Representation

• User roles in API responses now match Apono’s native role-based access control (RBAC) model, helping you to enforce role-based access and approval policies programmatically.

Apono Group Management

• Query, create, delete, and search Apono groups, removing the need for manual group setup or user assignment in your access flows.

End-User Access Requests

• Enable self-service access request workflows by giving admins the ability to extend access capabilities to their end users. This allows you to build internal tools or automation that enable users to independently request, manage, and track access.

Improved Usability

Flexible Name-Based Filtering

• Use GET requests to filter objects based on names

• Filter expressions now support: contains, starts with, and ends with for all name fields. This enables more intuitive searches, like name=*prod* to look for all prod instances.

Name-Based Object Creation

• Apono’s objects (like Access Flows and Bundles) can now be created using object names instead of IDs, simplifying scripting and automation by eliminating the need for extra lookups.

Human-Readable API Responses

• API responses now include both IDs and corresponding names. This makes responses easier to interpret, debug, and integrate into tools without additional lookups.

Better Documentation

• Comprehensive documentation accompanies all new endpoints, making implementation and troubleshooting faster and easier.

How to Identify New Endpoints

You can identify new endpoints by the following characteristics:

• Versioning: Paths include higher version numbers (e.g., /v2, /v3, /v4) reflecting new functionality.

• Path Prefixes: Look for new path prefixes like: /admin/ and /user/

List of New Endpoints

Access Flows:

• GET

• POST

• GET }

Bundles:

• GET

• POST

• GET }

Access Scopes:

• GET

• POST

• GET }

Connectors:

• GET

• GET }

• PUT }

Integrations:

• GET

• POST

• GET }

Groups:

• GET

• POST

• GET }

Users:

• GET

• GET }

Available Access:

• GET

• GET

Access Request:

• GET

• POST

• GET

Access Session:

• GET

• GET

• GET

Overview

Welcome to the Apono Public API reference! This guide will help you start integrating Apono into your workflows. Using the API, you can easily create Access Flows, add Integrations, create and manage access requests, export activity logs, and more.

Getting Started

All API requests are made over HTTPS and must be authenticated. Responses are returned in JSON format.

Authentication

Apono’s API uses token-based authentication. To authenticate, include the following header in each request:

If authentication is not provided or fails, a 401 "Unauthorized" response will be returned.

You can create and manage your API tokens on the API Tokens page of your Apono app or user portal. Refer to API Authentication for step-by-step instructions on generating your API tokens.

Base URL

All requests should be made to the following base URL:

Headers

Include the following headers with all API calls:

OpenAPI Specification

For teams that want to integrate Apono’s API into internal tools, generate client SDKs, or validate request structures, we provide a full OpenAPI (Swagger) spec.

(You can import this directly into tools like Postman, Insomnia, or Swagger UI.)

Support

Need help? Reach out to us at

Next Steps