Skip to content

API Authentication

SecureObs has two authentication paths:

  • dashboard users authenticate with Microsoft Entra ID bearer tokens;
  • CI pipelines authenticate with SecureObs API keys.

API Keys

Pipeline requests send:

X-Api-Key: <raw-api-key>

The raw API key is shown once in the dashboard. SecureObs stores only a SHA-256 hash.

Key Scope

Scope Behavior
Tenant-scoped Can ingest for projects in the tenant
Project-scoped Can ingest only for the selected project

Prefer project-scoped keys for CI.

Rotation

  1. Create a new API key in SecureObs.
  2. Update the CI secret.
  3. Re-run the pipeline.
  4. Revoke the old key.

Revocation is effective on the next request.

Self-Hosted API URL

The scanner defaults to:

https://api.secureobs.com/api

For self-hosted deployments, set:

SECUREOBS_API_URL="https://your-api.example.com/api"

The value must include the /api suffix.