Back to Docs

API Keys

Programmatic access to Axiomo for CI/CD, bots, and integrations

Overview

API keys let you call the Axiomo API from scripts, CI pipelines, bots, or any automated system. Keys inherit your connected provider permissions, so they can analyze private repositories you have access to.

Creating an API Key

1

Go to Settings

Navigate to Settings and find the "API Keys" section.

2

Name your key

Give it a descriptive name like "CI Pipeline" or "Review Bot" so you remember what it's for.

3

Copy the key

Your key will be shown once. Copy it immediately and store it securely.

Keys are shown once

API keys cannot be retrieved after creation. If you lose a key, revoke it and create a new one.

Using API Keys

Include your API key in the Authorization header with the Bearer scheme:

Authorization Header 
Authorization: Bearer ax_your_key_here

Examples

cURL

Analyze a PR 
curl -X POST https://axiomo.app/api/analyze \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ax_your_key_here" \
  -d '{"url": "https://github.com/owner/repo/pull/123"}'

Python

python 
import requests

response = requests.post(
    "https://axiomo.app/api/analyze",
    headers={"Authorization": "Bearer ax_your_key_here"},
    json={"url": "https://github.com/owner/repo/pull/123"}
)

signal = response.json()["signal"]
print(f"Risk: {signal['risk']['level']}")

JavaScript

javascript 
const response = await fetch("https://axiomo.app/api/analyze", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "Authorization": "Bearer ax_your_key_here"
  },
  body: JSON.stringify({
    url: "https://github.com/owner/repo/pull/123"
  })
});

const { signal } = await response.json();
console.log(`Risk: ${signal.risk.level}`);

What API Keys Can Do

Action Endpoint
Analyze a PR POST /api/analyze
Retrieve a signal GET /api/scans/{scan_id}

API keys use your connected provider tokens, so they can access any repository you have access to through GitHub, GitLab, or Bitbucket.

Rate Limits

API key requests are rate-limited per user:

With API key 60 requests/minute
Without authentication 10 requests/minute

Rate limit information is included in response headers: X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset.

Security Best Practices

  • Never commit keys to git - Use environment variables or secrets managers
  • Use descriptive names - So you know which key to revoke if compromised
  • Rotate keys periodically - Create new keys and revoke old ones regularly
  • Revoke unused keys - If a key is no longer needed, revoke it immediately
  • Monitor usage - Check "last used" timestamps in Settings to spot anomalies

Revoking Keys

To revoke an API key, go to Settings and click "Revoke" next to the key. Revoked keys stop working immediately.

Key compromised?

If you suspect a key has been exposed, revoke it immediately and create a new one.

Next Steps

API Reference

Full endpoint documentation

Webhooks

Auto-analyze PRs on push