API keys

API keys (aa_...) are long-lived credentials for scripts, CI, and CLI tooling. Each key belongs to a user; usage is audit-logged per-key.

Create

Settings → API keys → Create new key.

• Name — freeform. Pick something descriptive (ci-pipeline, alex-laptop).
• Expiration — optional. Default never; recommended to set 90 or 180 days for defence-in-depth.

On create, the key value is shown exactly once. Copy it immediately; Pentestas stores only a hashed version, so we can't recover it.

Use

Authorization: Bearer aa_...

or

X-API-Key: aa_...

Works on every HTTP route. See Authentication for the full reference.

Audit log

Every API call with the key writes an audit entry. Filter by key on the team audit log to see exactly what happened.

Rotate

Best practice: rotate every 90 days, or immediately after a laptop / CI secret leaks.

1. Create a new key with a distinct name (e.g. ci-pipeline-v2).
2. Update the integration's secret to the new key.
3. Verify the integration works.
4. Delete the old key from the Pentestas UI.

Key deletion is immediate — the next request using the old key returns 401.

Security

• Keys are 48 characters of URL-safe random. Pentestas accepts them as either Authorization: Bearer or X-API-Key.
• Stored hashed (bcrypt) at rest. A DB leak does not reveal usable keys.
• Rate limits apply — see Authentication.

See also

• Authentication
• Team and roles