API Keys

API keys (personal access tokens) let you authenticate against the CodeDig REST API from CI/CD pipelines, scripts, and integrations — without exposing your user credentials.

Creating a key

Navigate to Settings → API Keys and click Create new. Give the key a descriptive name (e.g. “GitHub Actions CI”), choose its permissions and optionally set an expiry date. The full key is shown exactly once — copy it immediately and store it in a secret manager.

You can also create keys programmatically (requires an existing admin token):

curl -X POST "https://api.codedig.ai/auth/api-keys" \
  -H "Authorization: Bearer $JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "CI Pipeline",
    "permissions": ["read", "write"],
    "expires_at": "2027-01-01T00:00:00Z"
  }'

The response includes the full api_key string. Store it securely — it cannot be retrieved again.

Permissions

Each key is created with one or more of the following permission values. Limit keys to the minimum permissions required.

Permission	What it allows
read	Read findings, analysis runs, repositories, and usage data
write	Trigger PR gate analyses, start indexing, manage webhook subscriptions
admin	All read + write actions, plus create/revoke API keys and manage tenant settings

curl examples

Pass your API key in the Authorization: Bearer header. The API key prefix is aca_k1_ — it is accepted interchangeably with a user JWT token.

# List findings for a repository
curl -H "Authorization: Bearer $CODEDIG_TOKEN" \
  "https://api.codedig.ai/repos/my-org/my-repo/pr-gate/runs?limit=10"

# Trigger a PR analysis
curl -X POST "https://api.codedig.ai/repos/my-org/my-repo/pr-gate/analyze" \
  -H "Authorization: Bearer $CODEDIG_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"pr_number": 42, "head_branch": "feature/my-feature"}'

Node.js example

Using the native fetch API (Node 18+):

const CODEDIG_TOKEN = process.env.CODEDIG_TOKEN;
const BASE_URL = 'https://api.codedig.ai';

async function getAnalysisRuns(owner, repo, limit = 10) {
  const res = await fetch(
    `${BASE_URL}/repos/${owner}/${repo}/pr-gate/runs?limit=${limit}`,
    {
      headers: { Authorization: `Bearer ${CODEDIG_TOKEN}` },
    }
  );
  if (!res.ok) throw new Error(`CodeDig API error: ${res.status}`);
  return res.json();
}

// Usage
const runs = await getAnalysisRuns('my-org', 'my-repo');
console.log(runs);

Rate limits

API key requests are subject to the same per-plan rate limits as JWT token requests. See the Rate Limits section of the API Reference for the full table. When a limit is exceeded you receive a 429 response with a Retry-After header indicating how long to wait.

Rotation & revocation

API keys do not auto-rotate. To rotate a key:

Create a new key with the same permissions (Settings → API Keys → Create new)
Update all consumers to use the new key
Revoke the old key by clicking Revoke next to it

You can also revoke a key via the API: DELETE /auth/api-keys/{id}. The key stops working immediately. Set expiry dates on keys used in CI environments to enforce periodic rotation.

OpenAPI spec

The full OpenAPI 3.0 specification is available at:

https://api.codedig.ai/openapi.json — machine-readable JSON
Import into Insomnia, Postman, or any OpenAPI-compatible client

Related: API Reference · Webhooks