Skip to main content

Authentication

AISafe API authentication uses Bearer tokens in the Authorization header.

API keys

API keys are the recommended authentication method for programmatic access. Each key has the prefix sk-ais- followed by a URL-safe random token.

Creating an API key

  1. Go to Settings → API Keys in the AISafe dashboard.
  2. Click Create API key.
  3. Enter a name for the key, optionally set an expiration, and select the scopes it should have.
  4. Copy the key at once. AISafe shows it only once at creation time.

Your organization may enforce API-key lifecycle policy. If so, AISafe can require an expiration, cap the maximum lifetime, auto-fill an expiration when a maximum lifetime is configured, warn the key owner and admins before expiry, and revoke keys that have been inactive beyond the configured window.

Using an API key

Pass the key in the Authorization header:

curl https://api.aisafe.io/api/v1/assessments \
-H "Authorization: Bearer $AISAFE_API_KEY"
import os
import requests

headers = {"Authorization": f"Bearer {os.environ['AISAFE_API_KEY']}"}
response = requests.get("https://api.aisafe.io/api/v1/assessments", headers=headers)

Scopes

Each API key carries an explicit scope list. Scopes follow a category:action pattern (e.g. assessments:create, findings:read, webhooks:read). A key missing the required scope for an endpoint returns 403 with a message naming the missing scope.

Select only the scopes your integration needs when creating a key. This follows the principle of least privilege. You can create multiple keys with different scopes for different integrations.

Scope catalogue

Organization & membership

ScopeDescription
org:readView organization profile, settings, and metadata
org:updateChange organization name, image, and settings
org:deletePermanent deletion of the organization (owner-only)
org:transfer_ownershipTransfer the owner role to another member (owner-only)
audit:readView organization audit-log events and action metadata
audit:exportDownload organization audit-log events
governance:readView retention, SLA, and erasure-request settings
governance:manageUpdate retention and remediation SLA policies
governance:eraseFile, cancel, or retry GDPR erasure requests
profile:readView your own profile and notification preferences
profile:updateUpdate your own profile and notification preferences
billing:readView credit balance, invoices, and usage
billing:manageAdd credits, change plan, update payment methods
members:readList organization members
members:inviteCreate invite links and send email invites
members:removeRevoke a member's access to the organization
members:change_rolePromote or demote member roles
teams:readList teams and team memberships
teams:createCreate a new team
teams:updateEdit team metadata
teams:deleteDelete a team
teams:manage_membersAdd or remove members from a team

Integrations & source

ScopeDescription
integrations:readView connected GitHub, GitLab, Bitbucket, Slack, and Teams integrations
integrations:manageConnect or disconnect integrations
integrations:bind_teamRoute integrations to a specific team
issue_exports:readView configured issue export targets and their status
issue_exports:configureCreate, update, or revoke issue export targets (GitHub, Jira, Linear)
notification_targets:readView configured notification targets and delivery status
notification_targets:configureCreate, update, or revoke notification targets
notification_targets:testSend test messages to notification targets
source:connect_personalConnect a personal GitHub account
source:upload_zipUpload zipped source for an assessment
source:read_artifactsRead extracted files from uploaded source
source:download_archiveDownload the original source archive

Projects

ScopeDescription
projects:readView projects and their attached assessments
projects:createCreate new projects
projects:updateEdit project metadata, archive/unarchive
projects:deletePermanent deletion of a project
projects:manage_sourceAttach or update a project's source repository or archive

Assessments

ScopeDescription
assessments:readView assessments, drafts, traffic, files
assessments:createLaunch new assessments
assessments:updateEdit draft metadata, settings, notes
assessments:cancelCancel a running assessment
assessments:emergency_stopEmergency-stop an assessment
assessments:archiveSoft-archive completed assessments
assessments:deletePermanent deletion of an assessment and its findings
assessments:manage_accessAdd or remove users/teams from an assessment

Findings

ScopeDescription
findings:readView security findings
findings:triageConfirm, dismiss, or reassign findings
findings:edit_severityOverride a finding's severity rating
findings:accept_riskAccept a finding as a known risk
findings:suppressPermanent suppression of a finding
findings:export_issueExport a finding to an external issue tracker (GitHub, Jira, Linear)
findings:exportDownload findings as SARIF, JSON, or CSV

Reports

ScopeDescription
reports:readView generated reports
reports:generateBuild a new report from an assessment
reports:publishPublish a report to a shareable URL
reports:shareGrant external access to a report
reports:revoke_shareRevoke external access to a report
reports:downloadDownload a PDF report

API keys

ScopeDescription
api_keys:readList API keys you own
api_keys:createMint new API keys
api_keys:revokeRevoke API keys
api_keys:rotateRotate a key (reserved for future use)

Webhooks

ScopeDescription
webhooks:readView webhook subscriptions and delivery logs
webhooks:createCreate webhook subscriptions
webhooks:updateEdit webhook subscriptions, test delivery, rotate secrets
webhooks:deleteDelete webhook subscriptions

Role-based scope bundles

The requested scopes must be a subset of the creator's role bundle when creating an API key:

RoleScope bundle
OwnerAll scopes (implicit wildcard). The only role allowed to mint wildcard keys (category:* or *).
AdminEverything except org:delete and org:transfer_ownership.
ManagerRead access to org, own profile, members, teams, integrations, issue exports, notification targets, and source artifacts. Full project, assessment, finding, and report scopes (minus assessments:delete, findings:suppress). Can create and revoke API keys. No webhook or billing access.
MemberRead access to org, own profile, members, teams, integrations, issue exports, projects, assessments, findings, reports, and API keys. Plus profile updates, findings:triage, and api_keys:revoke.

Wildcard scopes

Wildcard scopes (*, assessments:*, etc.) are available to owner-created keys only. Keys created by non-owners must list explicit scopes. Wildcards expand to the concrete scope set before the key is stored.

Rotating and revoking keys

  • Rotate: create a new key, update your integration to use it, then revoke the old key.
  • Revoke: delete the key from Settings → API Keys. Revocation is immediate; any request using the revoked key returns 401.

Session JWT

For browser-based access (the AISafe dashboard), authentication uses session JWTs from the login and OAuth flows. JWTs are carried in an httpOnly cookie and have a default lifetime of 48 hours. Programmatic clients can use JWTs in the Authorization header, but API keys are recommended for automation.

Two-factor authentication (2FA)

If your account has TOTP-based 2FA enabled, password login returns a partial token that you must exchange for a full session via the 2FA login endpoint. API keys bypass 2FA and authenticate with the key alone.

OAuth providers

AISafe supports GitHub and Google OAuth for account login and signup. These flows create session JWTs. For programmatic access, use API keys.