> ## Documentation Index
> Fetch the complete documentation index at: https://docs.livingsecurity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# KnowBe4

> Connect KnowBe4 to the Living Security Platform to import users, training enrollments, and phishing security test results.

export const EgressIpSafelist = ({system}) => <Warning>
    <strong>You need Living Security's egress IP ranges to finish this step</strong>, and they
    aren't shown in {system} or in these docs. Ask your Living Security program owner, who can
    get the current ranges from their CSM or support@livingsecurity.com. Enter each as a CIDR
    block (e.g. <code>203.0.113.0/24</code>) or a single host with <code>/32</code>.
  </Warning>;

export const ConnectInPlatform = ({tile, children}) => <Step title="Enter the credentials in the Living Security Platform">
    <p>
      Completed by whoever holds Living Security access — the program owner, or the system
      admin if they've been invited (delegated setup).
    </p>
    <ol>
      <li>
        Go to <strong>Settings → Integrations → Catalog</strong>, find the{' '}
        <strong>{tile}</strong> tile, click <strong>Connect</strong>.
      </li>
      <li>
        Fill in the fields below, then click <strong>Connect</strong>.
      </li>
    </ol>
    {children}
  </Step>;

export const SystemAdminBanner = ({system, recommendDelegated}) => <Note>
    <p>
      <strong>This guide is for your {system} administrator.</strong> It covers creating API
      credentials inside {system}, which requires admin access to {system} — not to the
      Living Security Platform.
    </p>
    <p>
      If you're the Living Security <strong>program owner</strong> and don't administer {system},
      send this page to whoever does. They complete Part A and hand the credentials back to you
      (or enter them directly if you've invited them into the platform).
      {recommendDelegated && <>
          {' '}Because setup produces sensitive key material, we recommend the{' '}
          <strong>delegated setup</strong> path so the secret is never sent back to you.
        </>}
    </p>
  </Note>;

<SystemAdminBanner system="KnowBe4" />

## What Living Security needs

| Credential             | Description                                                                                                                           |
| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
| **API key**            | A Reporting API bearer token generated under **Account Settings → API**. Sent on every request in the `Authorization: Bearer` header. |
| **Reporting API host** | The regional hostname for your KnowBe4 Reporting API (no `https://` prefix, no trailing slash), for example `us.api.knowbe4.com`.     |

**Scopes:** None to configure — KnowBe4 Reporting API tokens are read-only by design and are not scoped. The token grants read access to users, training enrollments, and phishing security test results, which is exactly what the sync reads.

**Required role:** **Account Admin** in KnowBe4 (only account administrators can access **Account Settings → API**)

### Prerequisites

* You must be signed in to your KnowBe4 console with an **Account Admin** role. Only account administrators can access **Account Settings → API** to enable the Reporting API and generate tokens.

***

## Part A — In KnowBe4

*Your KnowBe4 administrator completes these steps.*

<Steps>
  <Step title="Enable the Reporting API and generate a token">
    1. Sign in to your KnowBe4 console.
    2. Click your account name in the top-right corner and select **Account Settings**.
    3. In the left navigation, select **API**.
    4. Enable the **Reporting API** if it is not already enabled, then generate a new API token.

    Give the token a descriptive purpose (e.g., `Living Security Platform`) if your console prompts for one.

    <Warning>
      KnowBe4 displays the API token value **only once** when it is generated. Copy it immediately and store it in a secure location (e.g., a password vault or secrets manager). If you navigate away without copying it, you must generate a new token.
    </Warning>

    <Note>
      The Reporting API is read-only. It exposes users, training enrollments, and phishing security test results — the data Living Security ingests for scoring and reporting. No write access is required.
    </Note>
  </Step>

  <Step title="Add the Living Security egress IPs to the Allowed IP Addresses list">
    KnowBe4 lets you restrict Reporting API access to a specific set of source IP addresses. This setting lives in the same place as the token:

    1. In your KnowBe4 console, go to **Account Settings → API → Allowed IP Addresses**.
    2. Add each Living Security egress IP range for your region to the allowlist.

    <EgressIpSafelist system="KnowBe4" />

    <Warning>
      **If the Allowed IP Addresses list is configured, it is enforced at the network layer.** The connection dialog will succeed at authentication time, but data syncs will fail (blocked at the network layer, typically surfacing as a `403`) until the Living Security egress IPs are added to the allowlist. If you add any address to this list, you must also add the Living Security ranges, or our requests will be rejected even though your token is valid.
    </Warning>

    <Note>
      Living Security's egress IP ranges can change when infrastructure is updated. If data syncs begin failing after previously working, verify the Allowed IP Addresses list is current and add any new ranges.
    </Note>
  </Step>

  <Step title="Identify your regional Reporting API host">
    KnowBe4 serves the Reporting API from a region-specific host. The value you enter for **Reporting API host** depends on the server your KnowBe4 account is provisioned on:

    | Region                 | Reporting API host    |
    | ---------------------- | --------------------- |
    | US                     | `us.api.knowbe4.com`  |
    | EU                     | `eu.api.knowbe4.com`  |
    | Canada (CA)            | `ca.api.knowbe4.com`  |
    | United Kingdom (UK)    | `uk.api.knowbe4.com`  |
    | Germany (DE)           | `de.api.knowbe4.com`  |
    | US Government (US-Gov) | `gov.api.knowbe4.com` |

    Enter the **host only** — no `https://` prefix and no trailing slash.

    If you are unsure which region your account uses, check the domain of your KnowBe4 console URL or contact your KnowBe4 administrator.
  </Step>
</Steps>

***

## Part B — In the Living Security Platform

*The program owner completes this step, or the system admin if using delegated setup.*

<Steps>
  <ConnectInPlatform tile="KnowBe4">
    | Field                  | Value                                                              |
    | ---------------------- | ------------------------------------------------------------------ |
    | **API key**            | The Reporting API token from Part A, Step 1                        |
    | **Reporting API host** | The regional host from Part A, Step 3 (e.g., `us.api.knowbe4.com`) |
  </ConnectInPlatform>
</Steps>

You are now connected to KnowBe4.

***

## Troubleshooting

<AccordionGroup>
  <Accordion title="401 Unauthorized">
    The API token is invalid or expired. Verify the token is correct and has not been regenerated in **Account Settings → API**.
  </Accordion>

  <Accordion title="403 Forbidden">
    Either the token lacks Reporting API access, or the request IP is not on the Allowed IP Addresses list. Verify the Reporting API is enabled and that all Living Security egress IP ranges are on the allowlist.
  </Accordion>

  <Accordion title="Empty results (200 OK but no data)">
    The Reporting API may not yet have data to return, or the token's account lacks visibility into the users and campaigns Living Security ingests. Verify the token was generated by an Account Admin.
  </Accordion>
</AccordionGroup>
