Generating Authentication Tokens

You can generate authenticationClosedIdentity verification, typically with passwords. Authentication precedes authorization. tokens from either the ADMINISTRATION view in Fortify Software Security Center, or from the command-line interface. Only you can see the details of your tokens. The Fortify Software Security Center administrator can extend the life of the tokens you create. but cannot see detailed information about your tokens.

Note: Be aware that you can create a token of any type, but if you do not have the permission required to perform the action that the token is designed to perform, you will not be able to use the token.

Generating a Token from the ADMINISTRATION View

To generate an authentication tokenClosedUnique keys that enable users to automate actions within Fortify Software Security Center without using passwords. The user requests a token, authenticates to the Fortify Software Security Center server, and receives back a string that is permissioned for a small set of time-limited actions. Fortify Scan Analytics also generates authentication tokens that are required to configure a connection between Scan Analytics and Fortify Software Security Center. from the Fortify Software Security Center user interface:

  1. On the Fortify page header, select ADMINISTRATION.
  2. In the left panel of the ADMINISTRATION view, expand the Users section, and then select Token Management.
  3. On the Token Management toolbar, click NEW.

    The Create Token dialog box opens.

  4. From the Token Type list, select the type of token you want to create.

    To see a list of available token types, see the table in Generating a Token from the Command Line.

    The Create Token dialog box displays a description of the selected token type in the right panel.

  5. Use the Expiration calendar control to specify the date on which the token is to expire. (The expiration time is set to the current time on the specified date.)

    Note: By default, the expiration date value is set to the maximum number of days to live for the selected token type. You can set this to an earlier date to give the token a shorter life. You can also extend the life of the token later.

  6. In the Description box, type a description of the intended use of the new token.
  7. Click SAVE.

    The Create Token dialog box displays a message to let you know the token was successfully created.

  8. At the bottom of the message, copy either the encoded or decoded token string and save it. (Software Security Center will not display these again.)
  9. Click CLOSE

The Token Management page now lists the new token.

Generating a Token from the Command Line

To generate a token from the command line, run the following:

fortifyclient token -gettoken <token_name> -url SSC_URL -user USERNAME ‑password

The following table lists the available token_name options.



AnalysisDownloadToken Download merged result files


Upload scan results to Fortify Software Security Center and list applications


Load details about current security issues and apply analysis tags

CIToken Enables integration of Software Security Center with continuous integration plugins
CloudCtrlToken Obsolete - replaced with ScanCentralCtrlToken
CloudOneTimeJobToken Obsolete - replaced with ScanCentralOneTimeJobToken
DownloadFileTransferToken Typically created programmatically by automation scripts using the /fileTokens endpoint to support a file download within an authenticated sessionClosedA session is a matched set that contains both the client request and server response. For Internet applications, each session is associated with a particular port.
PurgeProjectVersionToken Provides the capability to programmatically request a list of all applicationClosedA customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. versions, and to purge application versions from Fortify Software Security Center
ReportFileTransferToken Typically created programmatically by automation scripts using the /fileTokens endpoint to support downloading an existing report within an authenticated session


Enables users to:

Request list of saved reports

Request saved report based on the report ID

Delete saved reports

Return list of saved reports associated with a specific application versionClosedA particular iteration of the analysis of a codebase as it applies to Fortify Software Security Center. An application always begins with a first version. An administrator adds new versions, as needed.

Generate new reports


For ScanCentral communications using the Fortify ScanCentralClosedFortify ScanCentral is a set of components (the Controller, clients, and sensors) that enable users to better manage their resources by offloading the processor-intensive scanning phase of code analysis from their build machines to a cloud of machines provided for this purpose. CLI tools


Single-use token specification typically created programmatically by the ScanCentral clientClosedA build machine that uses Fortify Static Code Analyzer to translate code and generate a mobile build session (MBS) file. The MBS is uploaded to the ScanCentral Controller. The interface for issuing ScanCentral commands is installed on the build machine and is used to create an MBS, and communicate your intentions to the ScanCentral Controller.

UnifiedLoginToken Enables access to most of the REST API. It is intended for short-run automations that last less than a day
UploadFileTransferToken Typically created programmatically by automation scripts using the /fileTokens endpoint to support a file upload within an authenticated session
VSTSExtensionToken Multi-use token specification used by the Fortify Azure DevOps extension to upload FPR(s) to Fortify Software Security Center and, optionally, submit a scan to Fortify ScanCentral.
WIESystemToken Internal token specification created programmatically by Fortify WebInspect EnterpriseClosedA distributed network of Fortify scanners controlled by a system manager with a centralized database. Fortify WebInspect Enterprise may be installed as stand-alone or integrated with Fortify Software Security Center, where it provides Fortify Software Security Center with information detected through dynamic scans of Web sites and Web services.. (Not for individual use.)
WIEUserToken Internal token specification created programmatically by Fortify WebInspect Enterprise. (Not for individual use.)

Authentication tokens are defined at runtime in WEB-INF/internal/serviceContext.xml.

See Also

Specifying DaysToLive for fortifyclient Authentication Tokens.