Documentation
Everything you need to secure your vibe-coded projects
Guides
API Keys
API keys let you access BoringSec programmatically from CI/CD pipelines, custom scripts, and advanced automations. Local MCP flows can also use device authorization so developers do not have to copy raw secrets manually.
Key Format
bsk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAll BoringSec API keys start with the bsk_ prefix.
Keys are stored as SHA-256 hashes — we never store or display the full key after creation. Copy it immediately when generated.
The first 8 characters are saved as a prefix for identification (e.g., bsk_a1b2...).
Creating an API Key
Go to API Keys page
Dashboard → API Keys (requires Pro plan or higher).
Name your key
Give it a descriptive name like "CI/CD Pipeline" or "GitHub Action".
Select scopes
Choose which permissions the key has (see Scopes section below).
Copy immediately
The full key is shown only once. Store it in your environment variables or secrets manager.
Scopes & Permissions
Scopes control what each API key can access. Some scopes require higher tier plans.
| Scope | Description | Min Tier |
|---|---|---|
scan:read | Read scan results, usage stats | Pro |
scan:write | Create and run scans | Pro |
scan:read:full | Read full scan data with raw metadata | Business |
domain:read | Read domain information | Pro |
domain:write | Create, update, delete domains | Pro |
monitoring:read | Read monitoring configuration | Pro |
monitoring:write | Update monitoring settings | Pro |
webhook:read | Read webhook configurations | Business |
webhook:write | Create, update, delete webhooks | Business |
compliance:read | Read compliance reports | Business |
history:read | Read historical scan data and trends | Business |
template:read | Read fix templates | Pro |
template:write | Submit community fix templates | Pro |
Using Your Key
HTTP Header
Authorization: Bearer bsk_your_api_key_hereEnvironment Variable
# .env or CI/CD secrets
BORINGSEC_API_KEY=bsk_your_api_key_hereClaude Code MCP
# Preferred local flow
npx -y @boringsec/claude-code login
// ~/.claude/config.json
"args": ["-y", "@boringsec/claude-code"]Manual API keys are still supported, but device authorization is safer and simpler for local editor setups.
Rate Limits
Pro
100 requests/hour
For solo developers
Business
500 requests/hour
For teams and CI/CD
Enterprise
2,000 requests/hour
For heavy automation
Rate limit headers are included in every response: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset.
Security Best Practices
Never commit API keys to git. Use environment variables or a secrets manager.
Use least-privilege scopes. Only grant the scopes your integration needs.
Set expiration dates on keys you create for temporary use (CI/CD previews, testing).
Rotate keys regularly. Revoke old keys from the API Keys page and create new ones.
Monitor usage. Check the last-used timestamp on your keys to detect unauthorized access.