Supplier Portal

The Supplier Portal gives your customers and business partners access to your SBOMs, VEX statements, and security documentation. CRA Article 13 requires providing this information to recipients of your products. The portal makes distribution easy and trackable.

What the Portal Provides

When enabled, your supplier portal allows authorised users to:

Download SBOMs for your products
View VEX statements explaining vulnerability status
Access CSAF security advisories
Download compliance documentation

Each download is logged so you know who accessed what and when.

Enabling the Portal

Go to Settings > Supplier Portal. Only organisation administrators can configure the portal.

Toggle "Enable Portal" to activate it. Your portal URL appears at the top of the page, like app.craevidence.com/portal/your-company-slug.

Portal Visibility

Choose who can access your portal:

Private means only users with a valid access token can view content. This is the default and recommended for most organisations.

Public means anyone with the URL can view your published content. Use this only if you want completely open access to your SBOMs and advisories.

Configuring Your Portal

Display Name

Set a customer-friendly name for your portal. This appears in the portal header and helps customers confirm they're in the right place.

Description

Add a welcome message or explanation of what customers can find in the portal.

Contact Email

Provide an email address where customers can reach your security or compliance team with questions.

Access Tokens

For private portals, customers need access tokens to log in. Each token identifies a specific customer or integration.

Creating a Token

Click "Create Access Token" and enter:

Name identifies who this token is for, like "ACME Corporation" or "CI Pipeline".

Expires sets how long the token is valid. Options include 30 days, 90 days, 180 days, 1 year, or no expiration.

After creation, copy the token immediately. It's only shown once. Share it securely with your customer.

Managing Tokens

The access tokens list shows all active tokens with their names, creation dates, and last used times. Identify unused tokens and revoke them for security.

Click "Revoke" to permanently disable a token. The customer loses access immediately.

What Customers See

When customers log into your portal, they see a list of products you've made available. They can:

Browse products and versions
Download SBOMs in CycloneDX JSON format
View VEX statements for each version
Download CSAF advisories

The portal only shows content you've explicitly published. Draft advisories and internal documents aren't visible.

Download Statistics

The Statistics section shows portal usage:

Total downloads this month
Most downloaded products
Download trends over time
Active customers (by token usage)

Use these metrics to understand how customers engage with your compliance documentation.

Audit Trail

Every portal action is logged:

Customer logins (by token)
SBOM downloads
VEX document views
Advisory downloads

Access the audit log from Settings > Audit Log and filter by "portal" event type.

CRA Compliance

The supplier portal helps you meet several CRA requirements:

Article 13(6) requires providing SBOMs to commercial recipients upon request. The portal automates this.

Article 13(12) requires making vulnerability information available. VEX statements and CSAF advisories in your portal fulfil this.

Article 13(13) requires communicating with importers and distributors. The portal provides a consistent channel for sharing security documentation.

Best Practices

Review tokens regularly. Revoke tokens for customers who no longer need access.

Use descriptive names. When you have many tokens, clear names help identify who's who.

Set reasonable expiration. Shorter expiration periods improve security but require more maintenance.

Monitor downloads. Unusual download patterns might indicate credential sharing.

Keep content current. Customers expect your portal to have latest SBOMs and advisories.

Alternative Distribution

If the portal doesn't fit your workflow, you can also:

Include SBOMs in your product deliverables
Email documents directly to customers
Use the API to integrate with your existing customer portal

The supplier portal is one option, not the only way to meet CRA requirements.

CSAF & VEX for publishing security advisories
SBOM Guide for understanding SBOM content
API Overview for programmatic access
Organisation Settings for general configuration

Last updated February 27, 2026

Was this page helpful?

Thanks for your feedback!

Help us improve. What was missing or unclear?