API keys
Use API keys when you need to authenticate HTTP requests to Guardix without an interactive browser session — for example from a script, CI job, or local tooling.
Where to manage keys
Section titled “Where to manage keys”- Sign in to the Guardix app (for example on guardix.dev or guardix.io).
- Open your user menu (top right).
- Choose API keys, or go directly to
/settings/api-keyson that host (e.g.https://guardix.dev/settings/api-keysfor the test environment,https://guardix.io/settings/api-keysfor production).
On the API keys screen you can name a key, choose expiration (30 days, 90 days, or never), and create it. Use Active keys to see previews and revoke keys you no longer need.
What an API key represents
Section titled “What an API key represents”Each key acts as you: it inherits your repository access, team membership, and GitHub App installations, the same way a normal signed-in session would. Guardix does not issue separate “scoped” keys per repository in the UI — treat keys like a password for your account.
The full secret is shown only once when you create a key. Copy it immediately into a secret manager or CI variable; you cannot reveal it again from the dashboard.
Expiration
Section titled “Expiration”When you create a key, you can choose an expiration of 30 days, 90 days, or never. Revoke keys you no longer use from the Active keys list.
Authenticating requests
Section titled “Authenticating requests”Send the key in the Authorization header as a Bearer token:
Authorization: Bearer <your_guardix_api_key>Every authenticated route under the same /api/v1/... surface that the web app uses accepts this header when the token is a valid API key.
Example: list teams
Section titled “Example: list teams”Replace the host with the Guardix deployment you use (guardix.io, guardix.dev, or your custom domain):
curl -sS \ -H "Authorization: Bearer YOUR_KEY_HERE" \ "https://guardix.io/api/v1/teams"A successful response depends on your account and teams; the important part is that 401 means the key is missing, invalid, or revoked.
Managing keys via the API
Section titled “Managing keys via the API”Session-authenticated clients (browser or cookie-based tools) use the same API prefix:
| Method | Path | Purpose |
|---|---|---|
GET | /api/v1/api-keys | List your keys (metadata only; no full secret) |
POST | /api/v1/api-keys | Create a key (returns the secret once in the response body) |
DELETE | /api/v1/api-keys/{id} | Revoke a key |
Creating and revoking keys requires a normal signed-in session (not an API key alone), so you typically create keys in the API keys UI or via a browser session.
Security practices
Section titled “Security practices”- Do not commit keys to git or paste them into public tickets.
- Rotate by creating a new key, updating your integrations, then revoking the old key.
- Revoke immediately if a key may have leaked.
Related
Section titled “Related”- Quick start — first-time setup in the browser
- Authentication — GitHub and Google sign-in