This article explains how to connect and authenticate to the Aqua Enterprise API in the CSPM platform.

Aqua CSPM platform

The Aqua CSPM platform is comprised of two integrated products:

  • The Aqua CSPM platform, which is the comprehensive solution for multi-cloud security posture management (check the official link below for more information)
  • The "Workload Protection" module (see image below) which is the integrated version of the Aqua Enterprise with the Aqua CSPM interface.

To learn more about CSPM, please go to

Aqua CSPM API vs. Aqua Enterprise API (Workload Protection)

There are two APIs present in this solution:

  • Aqua CSPM API 
  • Aqua Enterprise API (Workload Protection)

Although we use both APIs, the main idea would be to just use the first API (CSPM) to generate the token the authentication so we can access Aqua Enterprise API (Workload Protection).

SSO Authentication

Important: This step cannot be done manually by the user and, for that, the user must create a ticket directly with Aqua support for this option to be modified according to the customer's request.

For users who have chosen to use the SSO feature to authenticate themselves, there is a workaround that can be found at How to authenticate to Aqua CSPM API ( for users with SSO authentication method enabled.

How to collect the token from CSPM API to authenticate with Enterprise API (Workload Protection)

To create the token, first access the Aqua CSPM platform API through the link below:





Now it is necessary to use the POST method using the curl command to send the variables email and password so that the API returns the Bearer Token necessary for authentication with the API of Aqua Enterprise API (Workload Protection).

API call to generate the bearer token

curl --location --request POST '' \
    --header 'Content-Type: application/json' \
    --data-raw '{"email": "","password": "your_password"}'


    "status": 200,
    "code": 0,
    "data": {
        "account_id": 2273,
        "user_id": 13077,
        "account_admin": true,
        "trial_end": null,
        "email": ""

How to connect to the corporate API (Workload Protection Module) using the carrier token generated by the CSPM API explained in the step above?

For this access to be made, it is necessary to inform the Workload Protection Module ID of the client (DNS name) and the token.


Although this ID is not visible when we access the Workload Protection Module from Aqua SaaS through the links mentioned below (mirrors), each client has an internal instance with a different ID from the others.

Connect to the Aqua CSPM platform through these links 

US -

EU -

Asia-1 -

Asia-2 -

Note: Previously, once the Workload Protection Module was accessed it was possible to see the environment ID in the address bar of the browser as shown below, however currently, this ID is no longer visible.

So how to find this ID?

Go to the Administration > Scanners menu, then click on the "Connect Scanner" button, fill in all the data and click on the "Save and get Deployment command" button so that the deployment command for a new scanner is created.

In this command will be the ID of your environment so you can finally use it to connect to the API of Aqua SaaS.

Authentication method

After the successful execution of the previous process of creating the bearer token and collecting the environment ID, it is necessary to send the token as a parameter in the header of the POST or GET method through your connection tool with our API, as shown in the following example 

API call method for authentication with Aqua Enterprise

curl --location --request GET '' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywiYWNjb3VudF9pZCI6NDg3MywiYWNjb3VudF9hZG1pbiI6dHJ1ZSwicGxhbiI6ImVudGVycHJpc2UiLCJ0cmlhbF9lbmQiOm51bGwsInVzZXJfZ3JvdXBzX3VzZXIiOlsiNTQ2MSJdLCJ1c2VyX2dyb3Vwc19hZG1p'