Skip to content

API Credentials Management

You can manage and add credentials for your sub-estates.


You must be an Enterprise Super Admin to manage and add API credentials.

You can use Sophos APIs to manage users, endpoints, alerts, and security settings. You can also perform forensic analysis.

We use roles to allow you to control what API users can do. You assign a role to a set of API credentials when you create them. This controls what users using those credentials can do.

Roles with management permissions allow users to use APIs to do the following:

  • Query, create, update, and delete users and user groups.
  • Query and deal with alerts.
  • Query endpoints and perform actions on them, such as run a scan.
  • View and change endpoint protection global settings.

Roles with forensic permission allow users to use the API to run predefined or custom Live Discover queries on selected endpoints.

You can also see an API credential's details on the API Credentials Management page, such as the date it was created, the date it was last used, and the date it expires.


The first time you click API Credentials Management you must read and accept the terms and conditions of use.

Add credentials

To add credentials, do as follows:

  1. Go to Settings & Policies > API Credentials Management.
  2. Click Add Credential and give the credential a name and description.
  3. Choose which role you want to assign. Choose from the following roles:

    • Service Principal Super Admin: Users with this role can perform all API operations with full CRUD (Create Read Update Delete) capabilities and have access to queries.
    • Service Principal Management: Users with this role can view and manage admins, roles, endpoints, and security policies but can't run or view queries.
    • Service Principal Forensics: Users with this role can create, view, run, and delete Live Discover queries.
    • Service Principal Read-Only: Users with this role can view all information in the account but can't add, modify, or remove information. They can't run Live Discover queries.

    We recommend giving API users and applications only the level of access they need. You should keep their access as specific as possible.

    API Credentials.

  4. Click Add.

    This generates the credential, together with a Client ID and a Client Secret.

  5. Copy the Client ID and Client Secret.


    You can only see the Client Secret once.


You won't receive an alert when an API credential expires. When it's expired, you can't use it to authenticate to Sophos APIs, and it's automatically removed from Sophos Central. You must create a new API credential to resolve access interruption because of an expired API credential.

To delete an API credential, select it in API Credentials Management and click Delete.