Skip to main content

Overview

API keys provide programmatic access for CI pipelines, integrations, and tooling. Cysmiq supports two types of keys:
  • Personal API keys: Scoped to your user account. Can be restricted to specific workspaces.
  • Workspace API keys: Scoped to a workspace (tenant). Managed by workspace admins for shared integrations.

Create an API key

1

Open settings

Open the Workspaces page, select Security, then scroll to API keys.
Use https://app.cysmiq.com/workspaces for Cysmiq Cloud. For self-hosted, use your Cysmiq app URL.
API keys section showing the form to create a personal API key.
2

Configure the key

Enter a descriptive Token name to identify the key’s purpose, such as “CI read-only” or “GitHub Actions”.Select the Scopes for the key. Available scopes:
  • Read vulnerabilities (vulnerabilities:read): Access vulnerability lists and summary data
Choose an Expires value. Shorter expirations are more secure but require more frequent rotation.
Optionally restrict the key to specific workspaces using Restrict to workspaces. If no workspaces are selected, the key works across all workspaces you have access to.
API key form filled with token name CI read-only and 30 day expiration.
3

Create and copy the key

Select Create API key. The key value is displayed once and cannot be retrieved later.
New API key created dialog showing the key value with a copy button and warning to store it securely.
Select Copy to copy the key to your clipboard, then store it securely in a secrets manager or environment variable.

Verify an API key

Use the whoami endpoint to confirm your key and tenant context.
1

Find your tenant slug

Open the Workspaces page. The tenant slug is the short identifier used in API URLs. It appears under each workspace name, such as 9wc7wjk6.
Workspaces list showing the tenant slug under a workspace name.
2

Send a whoami request

Replace <tenant-slug> with the value from the previous step.
For self-hosted deployments, replace https://app.cysmiq.com with your Cysmiq app URL.
curl -H "Accept: application/json" \
  -H "Authorization: Bearer cys_tt_example1234567890" \
  https://app.cysmiq.com/api/v1/<tenant-slug>/whoami

View and revoke keys

Created keys appear in a list below the creation form. Each key shows:
  • Name and Status (Active, Expired, or Disabled)
  • Created date and Last used timestamp
  • Expires date
  • Scopes assigned to the key
API key list showing a CI read-only key with Active status and details.
To revoke a key, select Revoke and confirm. Revoked keys are permanently disabled and cannot be restored.