Bugfender exposes an API so that you can make your own queries programmatically instead of using our dashboard.

Here are some ideas on how our customers are using our API:

  • Build custom reports on business metrics

  • Copy logs over to an Elasticsearch instance to correlate them with other events in the internal network

  • Download all logs for archiving purposes

  • Display logs of a user in their customer support portal

  • Build security analytics

Please note the API access is only available in some plans.

Access types

You can access the API in two ways, depending on what you want to build:

  • Service account: is a user account meant to be used by machines. A service account acts on its behalf, meaning it is similar to a human user account: it will appear in your team members list and you can give it permission to access specific applications in your team. This type of access is ideal when you want to interact programmatically with Bugfender by enabling/disabling devices, downloading logs, etc. A service account can only be used within the team that created it.

  • Integration: is a meant to be extend the functionality of Bugfender for existing users. An integration doesn't have its own user account, instead it acts on behalf of a human user. The creator of the integration doesn't need to give permissions, instead it's the users of the integration who give permissions when using them for the first time. This type of access is ideal when you want to make an extension of Bugfender to be used by potentially any Bugfender user.

API access request

To use our API, you will need a Client ID and Client Secret. Please contact customer support to get yours.

  • For integrations, you will need to provide the redirect_uri. This is the URL of your server that will receive the authorization codes, whenever a user authorizes your application into their account.

Authentication for Service Accounts (medium security)

Service accounts with Bugfender use the OAuth 2.0 client credentials grant for authentication.

Please note the application secret acts as a sort of password for the application. This is a static credential, and therefore is not adequate for teams who want strong security. This method is unavailable for teams that have the "Require 2FA" setting enabled.

Here is how you get an access token:

curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=xxx&client_secret=xxx" https://dashboard.bugfender.com/auth/token

This will produce an output like this:

{"access_token":"9e885e76-c0dc-4c09-bad6-f700b41ffd05","token_type":"bearer","expires_in":3600}

See the next section Using the API, to use the token you just got to access the API.

If you're familiar with OAuth 2.0 you may notice there is no refresh token; when your access token expires you will need to repeat this process to get a new access token.

Authentication for Service Accounts (high security)

Service accounts with Bugfender use the OAuth 2.0 client credentials grant for authentication, with JWT for client assertion.

This authentication method is based on a certificate, which is never shared with Bugfender, so it is deemed appropriate for higher security application authentication. This authentication method can be combined with an IP address allowlist, which makes it a second authentication factor for your application.

If you are not familiar with JSON Web Tokens, https://jwt.io is a great resource to learn more.

Here is how you get an access token:

  • Generate a JSON Web Token, with the following details:

Key

Value

iss (issuer)

The client ID of your application

sub (subject)

The client ID of your application

aud (audience)

The token URL of Bugfender. For example, https://dashboard.bugfender.com/auth/token

iat (issued at)

The current timestamp

nbf (not before, optional)

The timestamp when the token will be valid. If provided, it must be sometime in the future.

exp (expiration)

The timestamp when the JWT will expire. Please note the lifetime of a JWT can be a maximum of two minutes.

jti (JWT ID, optional)

A unique identifier for the token.

  • Sign the token with the RS256 algorithm (RSA Signature with SHA-256).

  • Send this assertion to Bugfender:

curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d grant_type=client_credentials -d client_id=xxx -d client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer -d client_assertion=xxx https://dashboard.bugfender.com/auth/token

This will produce an output like this:

{"access_token":"9e885e76-c0dc-4c09-bad6-f700b41ffd05","token_type":"bearer","expires_in":3600}

See the next section Using the API, to use the token you just got to access the API.

If you're familiar with OAuth 2.0 you may notice there is no refresh token; when your access token expires you will need to repeat this process to get a new access token.

Authentication for Integrations

Integrations with Bugfender use the OAuth 2.0 authorization code grant for authentication.

Here is a quick summary on how to get started:

  • User authorization: to access a user's account, you'll need permission from them. Give them a URL like this, you will need to replace your client_id and redirect_uri:

https://dashboard.bugfender.com/auth/authorize?response_type=code&client_id=xxx&redirect_uri=urn:ietf:wg:oauth:2.0:oob

When the user authorizes your application, you will receive a callback with an authorization code to the redirect_uri.

Note: for applications without a server, you can use the special URI urn:ietf:wg:oauth:2.0:oob to display the authorization code on screen instead. This is not recommended, as it requires an additional step for the user.

  • Access token: once you get an authorization code, you'll need to exchange it for an access token. You can use the authorization code with your client_id and client_secret to obtain an access token like this:

curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code=xxx&redirect_uri=urn:ietf:wg:oauth:2.0:oob&client_id=xxx&client_secret=xxx" https://dashboard.bugfender.com/auth/token

This will produce an output like this:

{"access_token":"9e885e76-c0dc-4c09-bad6-f700b41ffd05","token_type":"bearer","refresh_token":"b83a5520-ce88-4010-a4f3-b0c09c37ffb5","expires_in":3600}

Please note Bugfender also automatically provides a refresh token.

  • Refreshing the access token: access tokens will eventually expire. If you store the refresh_token, you can use it to get a new access_token and refresh_token to continue using the API without requesting authorization again:

curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&refresh_token=b83a5520-ce88-4010-a4f3-b0c09c37ffb5&redirect_uri=urn:ietf:wg:oauth:2.0:oob&client_id=xxx&client_secret=xxx" https://dashboard.bugfender.com/auth/token

Please note the reply may contain a refresh_token. If it does, it means the previous refresh_token is now expired and you need to replace the stored one with this one.

See the next section Using the API, to use the token you just got to access the API.

Using the API

You can see all the things you can do with our API in the API documentation.

The access token obtained during authentication can be used as a Bearer token to call the API like this:

curl -i -H "Content-Type: application/json" -H "Authorization: Bearer 9e885e76-c0dc-4c09-bad6-f700b41ffd05" https://dashboard.bugfender.com/api/app/


Questions?

If you've got any questions, please feel free to contact us!

Did this answer your question?