Bugfender exposes an API so that you can make your own queries programmatically instead of using our dashboard.
Here are some ideas on how our customers are using our API:
Build custom reports on business metrics
Copy logs over to an Elasticsearch instance to correlate them with other events in the internal network
Download all logs for archiving purposes
Display logs of a user in their customer support portal
Build security analytics
Please note the API access is only available in some plans.
Access types
You can access the API in two ways, depending on what you want to build:
Service account: is a user account meant to be used by machines. A service account acts on its behalf, meaning it is similar to a human user account: it will appear in your team members list and you can give it permission to access specific applications in your team. This type of access is ideal when you want to interact programmatically with Bugfender by enabling/disabling devices, downloading logs, etc. A service account can only be used within the team that created it.
Integration: is a meant to be extend the functionality of Bugfender for existing users. An integration doesn't have its own user account, instead it acts on behalf of a human user. The creator of the integration doesn't need to give permissions, instead it's the users of the integration who give permissions when using them for the first time. This type of access is ideal when you want to make an extension of Bugfender to be used by potentially any Bugfender user.
API access request
You will need a Client ID and Client Secret to use our API. Please get in touch with customer support to get yours.
For Integrations, you will need to provide the
redirect_uri. This is the URL of your server that will receive the authorization codes, whenever a user authorizes your application into their account.For Service Accounts with JWT authentication option (high security), you will need to provide a public key. You can generate a key pair with OpenSSL like this:
openssl genrsa -out private-key.pem 2048
openssl rsa -in private-key.pem -pubout -out public-key.pemFor Service Accounts with client secret authentication (medium security), you only need to specify this is the option you want.
API access can only be requested by an account owner or administrator.
Authentication for Service Accounts (medium security)
Service accounts with Bugfender use the OAuth 2.0 client credentials grant for authentication.
Please note the application secret acts as a sort of password for the application. This is a static credential, and therefore is not adequate for teams who want strong security. This method is unavailable for teams that have the "Require 2FA" setting enabled.
Here is how you get an access token:
curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=xxx&client_secret=xxx" https://dashboard.bugfender.com/auth/token
This will produce an output like this:
{"access_token":"9e885e76-c0dc-4c09-bad6-f700b41ffd05","token_type":"bearer","expires_in":3600}See the next section Using the API, to use the token you just got to access the API.
If you're familiar with OAuth 2.0 you may notice there is no refresh token; when your access token expires you will need to repeat this process to get a new access token.
Authentication for Service Accounts (high security)
Service accounts with Bugfender use the OAuth 2.0 client credentials grant for authentication, with JWT for client assertion.
This authentication method is based on a certificate, which is never shared with Bugfender, so it is deemed appropriate for higher security application authentication. This authentication method can be combined with an IP address allowlist, which makes it a second authentication factor for your application.
If you are not familiar with JSON Web Tokens, https://jwt.io is a great resource to learn more. If you would like to learn more about OAuth 2.0 with JWT tokens, you can read RFC7523.
Here is how you get an access token:
Generate a JSON Web Token, with the following details:
Key | Value |
| The client ID of your application |
| The client ID of your application |
| The token URL of Bugfender. For example, |
| The current timestamp |
| The timestamp when the token will be valid. If provided, it must be sometime in the future. |
| The timestamp when the JWT will expire. Please note the lifetime of a JWT can be a maximum of two minutes. |
| A unique identifier for the token. |
Sign the token with the
RS256algorithm (RSA Signature with SHA-256).Send this assertion to Bugfender:
curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d grant_type=client_credentials -d client_id=xxx -d client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer -d client_assertion=xxx https://dashboard.bugfender.com/auth/token
This will produce an output like this:
{"access_token":"9e885e76-c0dc-4c09-bad6-f700b41ffd05","token_type":"bearer","expires_in":3600}See the next section Using the API, to use the token you just got to access the API.
If you're familiar with OAuth 2.0 you may notice there is no refresh token; when your access token expires you will need to repeat this process to get a new access token.
IP Address Allowlisting for Service Accounts (high security)
If you use your Service Account for an application that is hosted in a specific place, you can specify a list of IP addresses or ranges from where your service account can be used. This can be used in combination with the previous two authentication methods to tighten security, using the IP address as a second factor for authentication.
Please note IP address allowlisting is only available for Enterprise plans.
Authentication for Integrations
Integrations with Bugfender use the OAuth 2.0 authorization code grant for authentication.
Here is a quick summary on how to get started:
User authorization: to access a user's account, you'll need permission from them. Give them a URL like this, you will need to replace your client_id and redirect_uri:
https://dashboard.bugfender.com/auth/authorize?response_type=code&client_id=xxx&redirect_uri=urn:ietf:wg:oauth:2.0:oob
When the user authorizes your application, you will receive a callback with an authorization code to the redirect_uri.
Note: for applications without a server, you can use the special URI urn:ietf:wg:oauth:2.0:oob to display the authorization code on screen instead. This is not recommended, as it requires an additional step for the user.
Access token: once you get an authorization code, you'll need to exchange it for an access token. You can use the authorization code with your client_id and client_secret to obtain an access token like this:
curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code=xxx&redirect_uri=urn:ietf:wg:oauth:2.0:oob&client_id=xxx&client_secret=xxx" https://dashboard.bugfender.com/auth/token
This will produce an output like this:
{"access_token":"9e885e76-c0dc-4c09-bad6-f700b41ffd05","token_type":"bearer","refresh_token":"b83a5520-ce88-4010-a4f3-b0c09c37ffb5","expires_in":3600}Please note Bugfender also automatically provides a refresh token.
Refreshing the access token: access tokens will eventually expire. If you store the refresh_token, you can use it to get a new access_token and refresh_token to continue using the API without requesting authorization again:
curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&refresh_token=b83a5520-ce88-4010-a4f3-b0c09c37ffb5&redirect_uri=urn:ietf:wg:oauth:2.0:oob&client_id=xxx&client_secret=xxx" https://dashboard.bugfender.com/auth/token
Please note the reply may contain a refresh_token. If it does, it means the previous refresh_token is now expired and you need to replace the stored one with this one.
See the next section Using the API, to use the token you just got to access the API.
Using the API
You can see all the things you can do with our API in the API documentation.
The access token obtained during authentication can be used as a Bearer token to call the API like this:
curl -i -H "Content-Type: application/json" -H "Authorization: Bearer 9e885e76-c0dc-4c09-bad6-f700b41ffd05" https://dashboard.bugfender.com/api/app/
Requesting API access
Please contact support and provide the following information:
The type of access you would like: service account or integration
The authentication method desired: client secret (medium security), JWT (high security), and optionally IP address allow-listing (higher security).
If creating an integration, the
redirect_urlof your application.If creating a service account, you must be an account owner or administrator.
If you've got any questions, please feel free to contact us!