Organizations are used to share your API Targets and Run results with other users. You may belong to any number of Organizations. As an Organization owner, you can invite others to join you and create service accounts to integrate Mayhem for API into your DevOps pipeline.

When you sign up you will be prompted to create a new Organization. You will be the Owner of this Organization.


Mayhem for API implements a form of Role Based Access Control (RBAC).

All resources are scoped to an Organization. API Targets, for example, are assigned to one, and only one Organization. In order to view an API Target, you must belong to the same Organization as that API Target (unless the Target has been marked as "public").

Access Model

Access to Organization resources are controlled with roles.

Owner: Organization Owners have full control over Organizations, Members and API Targets

Member: Organization Members may create API Targets and view Job results, but may not manage other members.

Organization Settings--
Create organization invitation
Remove member( ✔ can remove self )
Create Service Accounts
Change Member Roles
API Target Settings--
Create Target
Update Target
Delete Target
Change Target Settings
Change Target access
Scan an API
View Jobs
Delete Jobs

You can change the roles of Organization members with the mapi organization set-role command or from your Organization Settings page.

Inviting others to join your Organization

From your Browser

As an organization owner, you can send an email invitation to your organization directly from your browser. Navigate to the Members tab on your Organization page and hit the Invite button to send an invitation to any email recipient that you wish to join your Organization.

Invite Email

From the mapi CLI

Organization Owners can create a new invitation with the mapi organization invite command using the name of their Organization.

Invitations are only valid for one claim and will expire after two days by default. You can extend the number of claims and duration with the --max-claims and expiration-min options respectively. For example:

mapi organization invite --max-claims 5 --expiration-min 2880 my-organization

This will present you a message that you can send to whomever you would like to invite to your Organization via Email/Slack/SMS/etc:

A new invitation has been created for organization <your-organization>>!

Up to 1 user(s) can join the organization by going to ''.

The invitation link is valid for 1 day.

Anyone that accepts your invite will join with the Member role.

Service Accounts

Organization owners may create service accounts for accessing the API as part of automation to avoid using API Tokens from individual accounts. You may create as many service accounts as you require in your organization.

Service accounts do not count toward developer count for the purpose of billing.

To create a new service account, use the mapi CLI:

mapi organization service-account create <my-organization> <service-account-name>

The service account will be added to your organization - and an API token will be presented once. You must record this token as it will not be shown again.

New Service Account named '<service-account-name>' created! A new API token has been


You can use this token in the environment variable, MAPI_TOKEN, to access
the API Fuzzer API as the Service Account. We will not display this value

You may now use the API token presented in the response to access targets and run fuzzing jobs in your Organization.

Removing a Service Account

To delete a service account (and invalidate its API Token) you must remove the account from your organization. Find the ID of your service account by listing organization members:

mapi organization list-members <my-organization>

 ID  Name               Role
  1  foo                Owner
  2  bar                Member
  3  <service-account>  Member   <<<<<

Now remove the service account from your organization:

mapi organization remove-member <my-organization> <service-account-id>

Successfully removed Organization '<my-organization>>' member '3'!

Target Access Control

By default, Targets are only visible to members of their Organization. Organization owners can make targets publicly visible to unauthenticated visitors and members of other organizations by changing Access Control setting of a Target from "Private" to "Public".

Access Control