Authentication
API Keys
API keys are the recommended way to authenticate programmatic access to CodeStax.
Creating an API Key
- Go to Settings → API Keys
- Click Generate New Key
- Set a name and optional expiry (in days)
- Choose permissions:
read:scans— Read scan resultsread:repos— Read repository data
- Click Create
Important: The API key is only shown once. Copy and store it securely.
Key Format
ch_a1b2c3d4e5f6... (64 hex characters with ch_ prefix)The dashboard shows a truncated prefix for identification: ch_a1b2c3d4...
Using API Keys
Include the API key in the X-API-Key header:
curl -H "X-API-Key: ch_your_api_key_here" \
https://codestax.co/api/scansKey Management
| Action | How |
|---|---|
| List keys | Settings → API Keys (shows name, prefix, last used, created date) |
| Revoke | Click the delete icon next to any key |
| Track usage | Each key shows last_used timestamp and use_count |
Limits
| Plan | Max API Keys |
|---|---|
| Free | 0 |
| Pro | 2 |
| Team | 10 |
| Enterprise | Unlimited |
JWT Authentication
The web application uses JWT tokens for session management. This is handled automatically by the frontend and is not intended for direct API use.
Token Lifecycle
- Login —
POST /auth/loginreturns an access token - Use — Include in
Authorization: Bearer <token>header - Refresh —
POST /auth/refreshexchanges an expired token for a new one - Expiry — Tokens expire after a configured period
For programmatic access, use API keys instead of JWT tokens. They’re simpler and don’t require refresh logic.