Skip to content

Documentation

Everything you need to secure your AI-built projects

API Keys

Guides

API Keys

API keys let you access BoringSec programmatically from CI/CD pipelines, custom scripts, and advanced automations. Local MCP flows can also use device authorization so developers do not have to copy raw secrets manually.

Key format

format
bsk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

All BoringSec API keys start with the bsk_ prefix.

The first 8 characters are saved as a prefix for identification (e.g., bsk_a1b2...).

Copy your key immediately
Keys are stored as SHA-256 hashes — we never store or display the full key after creation. Copy it the moment it is generated.

Creating an API key

  1. 1

    Go to the API Keys page

    Dashboard → API Keys (requires Pro plan or higher).

  2. 2

    Name your key

    Give it a descriptive name like "CI/CD Pipeline" or "GitHub Action".

  3. 3

    Select scopes

    Choose which permissions the key has (see the Scopes section below).

  4. 4

    Copy immediately

    The full key is shown only once. Store it in your environment variables or secrets manager.

Scopes & permissions

Scopes control what each API key can access. Some scopes require higher tier plans.

ScopeDescriptionMin tier
scan:readRead scan results, usage statsPro
scan:writeCreate and run scansPro
scan:read:fullRead full scan data with raw metadataBusiness
domain:readRead domain informationPro
domain:writeCreate, update, delete domainsPro
monitoring:readRead monitoring configurationPro
monitoring:writeUpdate monitoring settingsPro
webhook:readRead webhook configurationsBusiness
webhook:writeCreate, update, delete webhooksBusiness
compliance:readRead compliance reportsBusiness
history:readRead historical scan data and trendsBusiness
template:readRead fix templatesPro
template:writeSubmit community fix templatesPro

Using your key

HTTP header

http
Authorization: Bearer bsk_your_api_key_here

Environment variable

env
# .env or CI/CD secrets
BORINGSEC_API_KEY=bsk_your_api_key_here

Claude Code MCP

shell
# Preferred local flow
npx -y @boringsec/claude-code login

// ~/.claude/config.json
"args": ["-y", "@boringsec/claude-code"]

Manual API keys are still supported, but device authorization is safer and simpler for local editor setups.

Rate limits

Pro

100 requests/hour

For solo developers

Business

1,000 requests/hour

For teams and CI/CD

Enterprise

5,000 requests/hour

For heavy automation

Rate limit headers
Authenticated API responses that pass through the API rate-limit middleware include X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset. Pre-authentication and validation errors may not include these headers.

Security best practices

Keep your keys safe
  • Never commit API keys to git. Use environment variables or a secrets manager.
  • Use least-privilege scopes. Only grant the scopes your integration needs.
  • Set expiration dates on keys you create for temporary use (CI/CD previews, testing).
  • Rotate keys regularly. Revoke old keys from the API Keys page and create new ones.
  • Monitor usage. Check the last-used timestamp on your keys to detect unauthorized access.

Ready to integrate?

Create your first API key in seconds and wire BoringSec into your pipeline.