Skip to main content

API Key Authentication

All VulnZap API requests require authentication using an API key in the x-api-key header.

Basic Authentication

curl https://api.vulnzap.com/api/scan/github \
  -H "x-api-key: your_api_key_here" \
  -H "Content-Type: application/json"

Creating an API Key

Via Dashboard:
1

Navigate to API Keys

Go to DashboardSettingsAPI Keys
2

Create Key

Click Create API Key
3

Configure

  • Name: “Production API Key”
  • Scope: Full access or Read-only
  • Expiration: Never, 90 days, 1 year
4

Copy Key

⚠️ Important: Copy immediately - won’t be shown again
Via CLI: 
vulnzap auth
# Generates and stores API key locally

Using API Keys

Environment Variable (Recommended): 
export VULNZAP_API_KEY="your_api_key_here"
curl https://api.vulnzap.com/api/scan/github \
  -H "x-api-key: $VULNZAP_API_KEY" \
  -H "Content-Type: application/json"
Request Header: 
POST /api/scan/github HTTP/1.1
Host: api.vulnzap.com
x-api-key: your_api_key_here
Content-Type: application/json
CLI (automatic): 
vulnzap setup -k your_api_key_here
vulnzap scan https://github.com/owner/repo

Key Types

Personal API Keys

  • Scope: Your projects only
  • Permissions: Based on your role
  • Best for: Development, personal automation

Team API Keys

  • Scope: All team projects (or subset)
  • Permissions: Configurable
  • Best for: CI/CD, shared services
  • Requirements: Admin/Owner role

Security Best Practices

// ❌ BAD
const apiKey = "vzap_abc123...";

// ✅ GOOD
const apiKey = process.env.VULNZAP_API_KEY;

# .env file
VULNZAP_API_KEY=vzap_abc123...
Add .env to .gitignore
Rotate every 90 days:
  1. Create new key
  2. Update services to use new key
  3. Revoke old key
Grant only necessary permissions:
  • Read-only keys for reporting
  • Project-specific keys where possible
  • Avoid full-access keys unless needed
Dashboard → Settings → API Keys → Revoke
Effect is immediate.

Revoking API Keys

Via Dashboard: 
Dashboard → Settings → API Keys → Select Key → Revoke
Effect: Immediate - all requests with revoked key will fail with 401 Unauthorized.

Next Steps

API Introduction

Complete API documentation

Start GitHub Scan

Scan GitHub repositories

Start Commit Scan

Scan specific files

Get Job Status

Check scan progress