What Living Security needs
Endpoint access required:
Required role: Tenant Admin or equivalent with access to Settings → Tools
This integration requires a v2 API token, not a v1 token. V1 tokens use query parameter authentication and will not work with the v2 API endpoint.
Prerequisites
- You must have Tenant Admin access in Netskope to manage REST API tokens.
Part A — In Netskope
Your Netskope administrator completes these steps.1
Navigate to REST API v2 Token Management
- Sign in to your Netskope admin console at
https://<tenant>.goskope.com. - In the left navigation, click Settings.
- Under Tools, select REST API v2.
2
Create a new token
- Click New Token.
- Enter a descriptive name (e.g.,
Living Security Platform). - Under endpoint access, enable access to:
Grant access only to
/api/v2/events/data/alert. This is the only endpoint Living Security requires — granting minimal access follows least privilege.- Click Save (or Generate Token).
3
Copy and save your token
Copy the token immediately and store it securely.
4
Configure IP allowlist (if applicable)
If your Netskope tenant has IP allowlisting enabled, you must add Living Security’s egress IP ranges.
- In the Netskope admin console, go to Settings → Administration → IP Allowlist.
- If IP allowlisting is enabled, add each Living Security egress IP range to the Custom IP list.
5
Identify your tenant subdomain
Your tenant subdomain is the prefix of your Netskope admin console URL.If your console URL is
https://acme.goskope.com, your subdomain is acme.Enter the bare subdomain only — no https://, no .goskope.com, no trailing slash.The connection dialog accepts several input forms (bare subdomain, full hostname, or full URL) and normalizes automatically. However, entering the bare subdomain is recommended.
Part B — In the Living Security Platform
The program owner completes this step, or the system admin if using delegated setup.1
Troubleshooting
403 Forbidden
403 Forbidden
The token was created without access to
/api/v2/events/data/alert. Token endpoint permissions cannot be changed after creation — create a new token with the correct access and reconnect.Syncs worked but now fail with 401
Syncs worked but now fail with 401
If IP allowlisting is enabled, Living Security’s egress IP ranges may have changed. Contact your CSM to verify the current ranges and update the allowlist.
Using a v1 token instead of v2
Using a v1 token instead of v2
V1 and v2 tokens use different authentication mechanisms:
- v1: Query parameter (
token=...) - v2: Header (
Netskope-Api-Token: ...)

