Skip to Content
API ReferenceAuthentication

Authentication

API Keys

API keys are the recommended way to authenticate programmatic access to CodeStax.

Creating an API Key

Key Format

ch_a1b2c3d4e5f6...  (64 hex characters with ch_ prefix)

The dashboard shows a truncated prefix for identification: ch_a1b2c3d4...

Using API Keys

Include the API key in the X-API-Key header:

curl -H "X-API-Key: ch_your_api_key_here" \
  https://codestax.co/api/scans

Key Management

ActionHow
List keysSettings → API Keys (shows name, prefix, last used, created date)
RevokeClick the delete icon next to any key
Track usageEach key shows last_used timestamp and use_count

Limits

API key limits scale with your plan tier. Higher plans allow more keys.

JWT Authentication

The web application uses JWT tokens for session management. This is handled automatically by the frontend and is not intended for direct API use.

Token Lifecycle

  1. LoginPOST /auth/login returns an access token
  2. Use — Include in Authorization: Bearer <token> header
  3. RefreshPOST /auth/refresh exchanges an expired token for a new one
  4. Expiry — Tokens expire after a configured period

For programmatic access, use API keys instead of JWT tokens. They’re simpler and don’t require refresh logic.

OverviewEndpoints