Management API
The Management API provides programmatic access to AppTego Portal data and tenant operations. Use it when an internal system needs to inspect configuration, manage builds, administer users, query logs, manage tenant features, or integrate AppTego data into dashboards, compliance workflows, and release tooling.
For simple CI/CD app protection, use the Automation API. Use the Management API when your integration needs broader tenant administration or portal reporting.
| Guide | Use it to... |
|---|---|
| Overview and Authentication | Understand authentication, tenant headers, direct JSON response bodies, permissions, plans, limits, and endpoint groups. |
| Configuration | Read and modify control settings, promote versions, push live configuration, inspect options, and list trusted root CAs. |
| Applications and Builds | Upload, download, and manage protected builds, signing keys, legacy signing files, and build records. |
| Users and Access | Manage tenants, users, API tokens, automation keys, SAML SSO, SAML group mappings, and tenant settings. |
| Monitoring and Logs | Query dashboard data, WebSocket notifications, audit logs, device logs, and App Integrity configuration. |
| Tenant and Features | Manage certificate pinning entries, custom messages, custom libraries, support tickets, billing helpers, documents, sales contact requests, Tego Assistant, and AI Search. |
API Choice
| Need | Use |
|---|---|
| Upload, monitor, and download protected app artifacts from CI. | Automation API |
| Manage portal configuration, users, logs, tenant features, or reporting. | Management API |
Use API tokens for service integrations, scope permissions carefully, and rotate credentials according to your organization's security policy.
Integration Best Practices
- Create a separate API token for each Management API integration.
- Grant the minimum permissions required for that integration.
- Store token material in a secret manager.
- Send the intended
tenantheader for tenant-scoped calls. - Log AppTego IDs such as tenant IDs, build
start_time, ticket IDs, token keys, and request purpose in your internal systems. - Handle
401,403,404,429, validation errors, and plan-gated responses explicitly. - Avoid using browser session credentials for server-side integrations.