Skip to main content
The Snipe-IT API uses Laravel Passport for authentication via personal access tokens. All API requests must include a valid bearer token in the Authorization header.

Base URL

All API endpoints are prefixed with /api/v1: 
https://your-snipe-it-instance.com/api/v1

Authentication Methods

Personal Access Tokens

Snipe-IT uses OAuth 2.0 personal access tokens for API authentication. These tokens allow you to authenticate API requests without exposing your password.

Generating a Token

You can generate a personal access token using the API itself (requires initial authentication) or through the web interface. Via API: 
curl -X POST https://your-snipe-it-instance.com/api/v1/account/personal-access-tokens \
  -H "Authorization: Bearer YOUR_EXISTING_TOKEN" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{
    "name": "My API Token"
  }'
Save the token immediately! For security reasons, the full token is only displayed once during creation. If you lose it, you’ll need to generate a new one.

Listing Your Tokens

Retrieve all active personal access tokens for the authenticated user: 
curl https://your-snipe-it-instance.com/api/v1/account/personal-access-tokens \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Accept: application/json"

Deleting a Token

Revoke a personal access token when it’s no longer needed: 
curl -X DELETE https://your-snipe-it-instance.com/api/v1/account/personal-access-tokens/{tokenId} \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Accept: application/json"
tokenId
string
required
The UUID of the token to delete (e.g., 9a8f7e6d-5c4b-3a2b-1c0d-9e8f7a6b5c4d)
A successful deletion returns HTTP status 204 No Content.

Using Your Token

Include your personal access token in the Authorization header of every API request using the Bearer authentication scheme: 
Authorization: Bearer YOUR_ACCESS_TOKEN

Example Request

curl https://your-snipe-it-instance.com/api/v1/hardware \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..." \
  -H "Accept: application/json"

Token Expiration

By default, personal access tokens expire after 15 years from creation. You can customize this expiration period using the API_TOKEN_EXPIRATION_YEARS environment variable:
.env
API_TOKEN_EXPIRATION_YEARS=15

Content Type Headers

Always include the Accept: application/json header in your requests to ensure you receive JSON responses.
For POST, PUT, and PATCH requests, also include: 
Content-Type: application/json

Authentication Errors

Unauthenticated (401)

Returned when no valid token is provided: 
{
  "status": "error",
  "message": "Unauthenticated.",
  "payload": null
}

Forbidden (403)

Returned when the authenticated user lacks permissions: 
{
  "status": "error",
  "message": "Insufficient permissions.",
  "payload": null
}

Invalid Token

If your token is malformed or expired: 
{
  "status": "error",
  "message": "The token is invalid or has expired.",
  "payload": null
}

Security Best Practices

  • Never commit tokens to version control
  • Use environment variables or secure secret management systems
  • Treat tokens like passwords
Always use HTTPS to prevent token interception. Configure your Snipe-IT instance with:
.env
APP_FORCE_TLS=true
SECURE_COOKIES=true
Periodically delete old tokens and generate new ones, especially:
  • When team members leave
  • If you suspect a token has been compromised
  • As part of regular security maintenance
Name your tokens based on their purpose or application:
  • “Production Monitoring Script”
  • “Mobile App Integration”
  • “Backup Automation”
Create separate tokens for different applications or purposes rather than sharing a single token across multiple systems.

Testing Authentication

Verify your authentication setup by retrieving your user profile: 
curl https://your-snipe-it-instance.com/api/v1/users/me \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Accept: application/json"
If you receive your user details, your authentication is working correctly!

Next Steps

Rate Limits

Learn about API rate limiting and quotas

Assets

Start working with asset endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us