Last updated: November 24, 2021
Read time: 2 Minutes
Burp Suite Enterprise Edition provides two APIs that you can use to interact with the system from other third-party software. The GraphQL API offers the broadest range of functionality and is recommended for new integrations, while the REST API offers a simple migration for users who are familiar with the Burp Suite Professional API.
If you are planning on developing a new integration of Burp Suite Enterprise Edition with your own software or a third-party tool, we recommend using the GraphQL API wherever possible.
The GraphQL API exposes virtually all of the core functionality and data of Burp Suite Enterprise Edition. Among other things, you can use the API to:
- Create and edit sites.
- Schedule one-off and regular scans.
- Create and edit custom scan configurations.
- Add folders to your site tree.
- Get scan results and reports.
- Manage your pool of agent machines, including authorizing new agent machines.
- Integrate scans as part of your build pipeline.
Burp Suite Enterprise Edition's REST API offers a basic means of initiating scans from your CI system and failing software builds whenever certain issues are reported. It is closely related to the Burp Suite Professional API, and represents a simple migration from that API surface.
While the REST API may be more familiar to users of Burp Suite Professional, it is only able to expose a limited range of Burp Suite Enterprise Edition's functionality. Therefore, we strongly recommend using the GraphQL API for your new integrations wherever possible.
To view interactive documentation for the REST API, browse to:
[Enterprise server URL]/api/[API key].
Using the APIs
In order to use either of Burp Suite Enterprise Edition's APIs, you will need to set up an API user. API users each have a unique API key that enables them to authenticate when making requests.
Note that Burp Suite Enterprise Edition's user roles apply to API users in the same way as UI users. You can only use the APIs to perform those tasks that the user permissions associated with your role allow. As such, you should ensure that any API users you set up have the correct roles applied.