API Keys
Guides
API Keys
API keys let you access BoringSec programmatically from CI/CD pipelines, custom scripts, and advanced automations. Local MCP flows can also use device authorization so developers do not have to copy raw secrets manually.
Key format
bsk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAll BoringSec API keys start with the bsk_ prefix.
The first 8 characters are saved as a prefix for identification (e.g., bsk_a1b2...).
Creating an API key
- 1
Go to the API Keys page
Dashboard → API Keys (requires Pro plan or higher).
- 2
Name your key
Give it a descriptive name like "CI/CD Pipeline" or "GitHub Action".
- 3
Select scopes
Choose which permissions the key has (see the Scopes section below).
- 4
Copy immediately
The full key is shown only once. Store it in your environment variables or secrets manager.
Scopes & permissions
Scopes control what each API key can access. Some scopes require higher tier plans.
| Scope | Description | Min tier |
|---|---|---|
scan:read | Read scan results, usage stats | Pro |
scan:write | Create and run scans | Pro |
scan:read:full | Read full scan data with raw metadata | Business |
domain:read | Read domain information | Pro |
domain:write | Create, update, delete domains | Pro |
monitoring:read | Read monitoring configuration | Pro |
monitoring:write | Update monitoring settings | Pro |
webhook:read | Read webhook configurations | Business |
webhook:write | Create, update, delete webhooks | Business |
compliance:read | Read compliance reports | Business |
history:read | Read historical scan data and trends | Business |
template:read | Read fix templates | Pro |
template:write | Submit community fix templates | Pro |
Using your key
HTTP header
Authorization: Bearer bsk_your_api_key_hereEnvironment variable
# .env or CI/CD secrets
BORINGSEC_API_KEY=bsk_your_api_key_hereClaude Code MCP
# Preferred local flow
npx -y @boringsec/claude-code login
// ~/.claude/config.json
"args": ["-y", "@boringsec/claude-code"]Manual API keys are still supported, but device authorization is safer and simpler for local editor setups.
Rate limits
100 requests/hour
For solo developers
1,000 requests/hour
For teams and CI/CD
5,000 requests/hour
For heavy automation
X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset. Pre-authentication and validation errors may not include these headers.Security best practices
- Never commit API keys to git. Use environment variables or a secrets manager.
- Use least-privilege scopes. Only grant the scopes your integration needs.
- Set expiration dates on keys you create for temporary use (CI/CD previews, testing).
- Rotate keys regularly. Revoke old keys from the API Keys page and create new ones.
- Monitor usage. Check the last-used timestamp on your keys to detect unauthorized access.
Ready to integrate?
Create your first API key in seconds and wire BoringSec into your pipeline.