Skip to content

API Keys

API keys provide programmatic access to the platform without requiring a browser session. Each API key authenticates as your user account and inherits your role, plan limits, and permissions.

Overview

  • API keys start with the prefix pst_ — this makes them easy to identify in your scripts and CI/CD configurations.
  • Each key has a name (a label you choose) and an expiration date.
  • The full key is shown only once at creation time. It cannot be retrieved later.
  • Deleted keys are immediately revoked and cannot be restored.

Treat API keys like passwords

Anyone with your API key has the same access as your account. Never commit keys to version control, share them in chat, or include them in client-side code.

Availability

API key access depends on your subscription plan. If API keys are not included in your plan, the Settings page will display a message indicating that the feature requires a plan upgrade.

When the feature is enabled, your plan defines how many active keys you may hold at once. The current count is shown next to the section heading.

Creating an API Key

  1. Navigate to Settings.
  2. In the API Keys section, click New Key.

  3. Fill in the form:

    Field Description
    Key Name A descriptive label (e.g. "CI/CD Pipeline", "Staging Tests")
    Expires In Choose 30, 60, 90, 180, or 365 days

  4. Click Create Key.

A dialog appears containing your new API key. This is the only time the full key will be displayed.

Copy immediately

Click the Copy button to copy the key to your clipboard, then store it in a secure location such as a secrets manager or encrypted vault.

Using an API Key

Pass the API key as a Bearer token in the Authorization header of your HTTP requests, exactly as you would with a JWT:

curl -H "Authorization: Bearer pst_your_api_key_here" \
     https://saaspentest.io/app/api/scans

The platform detects the pst_ prefix and authenticates with your API key instead of a JWT. All endpoints that accept a JWT also accept an API key.

Example: List Your Domains

curl -H "Authorization: Bearer pst_abc123..." \
     https://saaspentest.io/app/api/domains

Example: Create a Scan

curl -X POST \
     -H "Authorization: Bearer pst_abc123..." \
     -H "Content-Type: application/json" \
     -d '{"domain_id": 1, "target_url": "https://example.com", "max_pages": 50, "max_depth": 3}' \
     https://saaspentest.io/app/api/scans

Example: Get Scan Results

curl -H "Authorization: Bearer pst_abc123..." \
     https://saaspentest.io/app/api/scans/42

Same limits apply

API key requests count against the same daily/weekly scan limits, domain limits, and module restrictions as your regular browser session.

Viewing Your Keys

The API Keys section on the Settings page lists all your active keys. For each key you can see:

Column Description
Name The label you assigned at creation
Prefix The first 12 characters of the key (e.g. pst_abc12345...)
Created When the key was created
Expires When the key will stop working
Status Active or Expired

Expired keys remain in the list with an Expired badge. They no longer authenticate requests.

Deleting an API Key

  1. Click the trash icon next to the key.
  2. Confirm the deletion.

The key is immediately deactivated. Any requests using that key will receive a 401 Unauthorized response.

Warning

Deletion is permanent. If you need API access again, create a new key.

Best Practices

  • Use descriptive names — label keys by their purpose so you can identify which one to revoke if compromised.
  • Set the shortest practical expiration — prefer 30 or 90 days over 365. You can always create a new key when one expires.
  • Rotate regularly — delete old keys and create new ones on a schedule.
  • One key per integration — if you use API keys in multiple systems (CI, monitoring, scripts), create separate keys for each. This way you can revoke one without disrupting the others.
  • Store securely — use your platform's secrets manager (e.g. GitHub Secrets, AWS Secrets Manager, HashiCorp Vault) rather than plain-text config files.
  • Never log keys — ensure your application does not write API keys to log files or error reports.

Troubleshooting

Problem Solution
401 Unauthorized Check the key is correct, active, and not expired. Ensure the Authorization: Bearer pst_... header is present.
403 Forbidden Your plan may not include API key access, or you have hit a plan limit.
Key not shown after creation The key is displayed only once. If you missed it, delete the key and create a new one.
Reached key limit Delete an unused or expired key to free up a slot, or upgrade your plan.