API Keys
API keys authenticate requests to the Orithos API. Keys follow the tsk_ format and are hashed with bcrypt before storage.
Key format & hashing
Keys are prefixed with tsk_ for easy identification. The raw key is displayed once at creation and never stored. The stored hash uses bcrypt with cost factor 12, making brute-force infeasible even if the database is compromised.
curl -X POST https://api.orithos.dev/v1/api-keys -H "Authorization: Bearer {admin_key}" -H "Content-Type: application/json" -d '{
"name": "ci-cd-pipeline",
"role": "admin"
}'RBAC roles
VIEWER
Read-only access
ANALYST
Create scans, view results
ADMIN
Manage agents, keys, users
OWNER
Billing, org settings, delete
Creating & revoking keys
Keys are created via the dashboard or API. The raw secret is shown exactly once. Revoked keys are immediately invalidated. The last_used_at timestamp tracks key usage for auditing and cleanup of unused keys.
Expiration
Keys can be set with an optional expiration date. Expired keys return 401 status and are automatically revoked. Default maximum lifetime is 90 days for production keys and 365 days for development keys.