Authentication

The A11yRisk API uses API keys for CI/CD access. Keys are created in the dashboard and passed in an HTTP header on every request.

Key format

All API keys begin with ar_live_ followed by a random string. A key is shown in full only once — at creation time. If you lose it, revoke it and create a new one.

How to authenticate

Pass the key in the X-API-Key header on every request. Do not pass it as a query parameter or in the request body.

curl https://api.a11yrisk.eu/v1/ci/scans/SCAN_ID \
  -H "X-API-Key: ar_live_YOUR_KEY"

Creating a key

1. Sign in to the dashboard and go to Settings → API Keys.
2. Click Create key, give it a descriptive name (e.g. GitHub Actions — staging), and optionally set an expiry date.
3. Copy the full key immediately — it is shown only once and cannot be retrieved again.
4. Add it as a secret in your CI environment (e.g. GitHub Actions Secrets).

Storing keys securely

• Never hard-code a key in source code or commit it to version control.
• Use your CI platform's secrets store: GitHub Actions Secrets, GitLab CI Variables, or similar.
• Prefer one key per environment (staging, production) so you can revoke selectively.
• Set an expiry date on long-lived keys as a defence-in-depth measure.

Key rotation

To rotate a key without downtime:

1. Create a new key in the dashboard.
2. Update your CI secret to use the new key.
3. Verify the new key works in a test run.
4. Revoke the old key.

Error responses