Authentication
API key and token authentication for the Basirah API.
All API requests require authentication via a Bearer token in the Authorization header.
API keys
Generate API keys from your organization settings. Each key inherits the permissions of the user who created it and is scoped to that user’s organization.
Authorization: Bearer your-api-keyUse separate API keys for different automation workflows so you can rotate or revoke them independently.
Token authentication
Browser sessions and OAuth flows use JWT tokens. For programmatic access, API keys are the recommended approach.
Permissions
API key permissions follow the same RBAC model as the web interface. A key created by an Analyst can create work items and update findings, but can’t manage integrations or users. See Roles & Permissions for the full permission model.
Every API key is scoped to a single organization. Requests made with that key can only access data within that organization. MSSP parent keys can access child tenant data through designated cross-tenant endpoints.