API Keys
API keys are how anything outside the SecureCodingHub admin UI talks to the public REST and webhook surface. The admin page issues keys, lists active and revoked keys, and revokes individual keys. Full reference for what each key can actually do lives in API → Authentication & Scopes.
Where this lives
Sidebar → API Keys under the Integrations section, at /organization/api-keys.
Creating a key
Click + Create new key. The dialog asks for:
- Name — short label that appears in the key list and in audit log entries. Use something descriptive ("CI/CD GitHub Actions", "BI Looker sync", "Jira ticketing").
- Scopes — fine-grained permissions, grouped by resource. The 16 scopes are documented in API → Authentication & Scopes. Pick only what the integration needs.
- Expiry (optional) — date after which the key stops working. Useful for proofs of concept and vendor evaluations. Leave blank for keys that should stay valid until manually revoked.
On submit the dialog displays the full token (scs_live_…) once. Copy it to your secrets manager immediately. After you close the dialog only the prefix and last four characters remain visible — the server stores only the SHA-256 hash, so even SecureCodingHub support cannot retrieve the full token afterwards.
Listing and inspecting keys
The list view shows every active and revoked key for your organization. Columns:
| Column | Description |
|---|---|
| Name | The label you gave the key at creation. |
| Prefix … Last4 | The first 13 and last 4 characters of the token. Enough to recognise a key without recovering it. |
| Scopes | The fine-grained permissions on the key. Hover for the full list when there are many. |
| Created by / on | The admin who issued the key and when. |
| Last used | Timestamp of the most recent successful API call against this key. Blank for keys that have never been used. |
| Status | Active, Expired, or Revoked. |
Revoking a key
Click Revoke on a key row. Revocation is immediate — in-flight requests using the key start receiving 401 unauthorized within seconds. There is no "pause" state and no way to un-revoke; revocation is permanent. Audit log captures the action as apikey.revoked with the actor identity.
If a key has leaked, revoke it. If you need to rotate a key without downtime, create the replacement first, deploy the new token, and revoke the old one only after the new one has logged at least one successful Last used timestamp.
Rate limits per key
Every key is governed by two sliding windows: 60 requests per minute and 1,000 requests per hour. Requests beyond either window return 429 rate_limited with a Retry-After header. The limits are per-key, so issuing one key per integration is also a way to prevent one noisy automation from starving another. Full retry guidance at API → Rate Limits.