Skip to content

API keys Growth+

API keys authenticate requests to the CredWatch REST API. They're long-lived, account-scoped (not user-scoped), and revocable.

Generate a key

  1. Go to Profile → API keys.
  2. Click Generate new key.
  3. Optionally name the key (e.g. "CI runner", "SIEM importer") — names are visible to anyone in your account with admin role.
  4. The key is shown once. Copy it immediately — we never display the full value again.

Key format: cw_sk_ followed by 48 hex characters (192 bits of entropy). Example: cw_sk_a3f8...c2b1 (you'll see the prefix in the key list but never the full value).

We store only the SHA-256 hash of the key. If you lose the value, generate a new one and revoke the old.

Use the key

Pass the key as a Bearer token in the Authorization header:

curl https://app.cred-watch.com/api/v1/findings \
  -H "Authorization: Bearer cw_sk_a3f8...c2b1"

See the API overview for endpoints, filters, pagination, and response shapes.

Rate limits

Plan Requests per minute per key
Growth 60
Enterprise 300

Exceeding the limit returns HTTP 429 with a Retry-After header. Back off and retry — your key is not suspended.

Revoke a key

  1. Profile → API keys.
  2. Click Revoke next to the key.
  3. Confirm.

Revocation is immediate. The next request using that key returns HTTP 401.

You cannot un-revoke a key. Generate a new one.

Security model

  • Keys grant read access to all findings, scans, and metadata in your account.
  • Keys grant write access to suppress and resolve findings (POST /api/v1/findings/{id}/suppress and /resolve).
  • Keys cannot change account settings, billing, team membership, or integration credentials.
  • Keys are not MFA-protected — they're bearer tokens. Treat them like passwords.
  • API requests are not subject to CSRF — Bearer auth has no cookie attack vector.

Best practices

  • One key per consumer. Separate keys for "CI runner", "SIEM importer", "internal dashboard" so you can revoke one without breaking the others.
  • Rotate every 90 days. The portal shows when each key was created and last used.
  • Store in your secret manager. Never commit the key to git, never paste it into Slack.
  • Use the principle of least privilege at the consumer. If your CI only needs to read findings, restrict your CI's behaviour to read-only even though the key technically can also resolve/suppress.

Auditing

Every key creation, key revocation, and successful API call referencing the key is logged. Admins can see this under Team → Audit log filtered by api.*.

Related: API overview, Authentication, Rate limits & errors.