Skip to content

API Credentials Management

You can manage and add credentials for Sophos Central Admin.

You must be a Super Admin to manage and add API credentials.

You can use Sophos APIs to manage users, endpoints, alerts, and security settings. You can also perform forensic analysis.

We use roles to allow you to control what API users can do. You assign a role to a set of API credentials when you create them. This controls what users using those credentials can do. We recommend giving API users and applications only the level of access they need. You should keep their access as specific as possible.

Roles with management permissions allow users to use APIs to do the following:

  • Query, create, update, and delete users and user groups.
  • Query and deal with alerts.
  • Query endpoints and perform actions on them, such as run a scan.
  • View and change endpoint protection global settings.

Roles with forensic permission allow users to use the API to run predefined or custom Live Discover queries on selected endpoints.


The first time you click API Credentials Management you must read and accept the terms and conditions of use.

To add credentials, do as follows:

  1. Go to My Products > General Settings > API Credentials Management.
  2. Click Add Credential and give the credential a name and description.
  3. Choose which role you want to assign. Choose from the following roles:

    • Service Principal Super Admin: Users with this role can perform all API operations with full CRUD (Create Read Update Delete) capabilities and have access to queries.
    • Service Principal Management: Users with this role can view and manage admins, roles, endpoints, and security policies but can't run or view queries.
    • Service Principal Forensics: Users with this role can create, view, run, and delete Live Discover queries.
    • Service Principal Read-Only: Users with this role can view all information in the account but can't add, modify, or remove information. They can't run Live Discover queries.
    • Service Principal Active Directory Sync: Users with this role can perform Active Directory synchronization. They can't do anything else. You must use this role for synchronizing with Active Directory.
    • Service Principal Firewall: Users with this role can manage Firewalls. They can't do anything else. We recommend you use this role for managing Firewalls.

    API Credentials.

  4. Click Add.

    This generates the credential, together with a Client ID and a Client Secret.

  5. Copy the Client ID and Client Secret.


    You can only see the Client Secret once.

To delete an API credential, select it in API Credentials Management and click Delete.