Authentication API¶

Authenticate and receive an access token.

POST /api/auth/login
Content-Type: application/json

{
  "username": "admin",
  "password": "your-password"
}

Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "token_type": "bearer",
  "expires_in": 14400,
  "user": {
    "id": 1,
    "username": "admin",
    "email": "[email protected]",
    "role": "super_admin"
  }
}

Logout¶

Invalidate the current token.

POST /api/auth/logout
Authorization: Bearer <token>

Response:

{
  "message": "Successfully logged out"
}

Refresh Token¶

Get a new token before expiration.

POST /api/auth/refresh
Authorization: Bearer <token>

Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "expires_in": 14400
}

Current User¶

Get information about the authenticated user.

GET /api/auth/me
Authorization: Bearer <token>

Response:

{
  "id": 1,
  "username": "admin",
  "email": "[email protected]",
  "full_name": "Administrator",
  "role": "super_admin",
  "organizations": [
    {
      "id": 1,
      "name": "default",
      "role": "org_admin"
    }
  ],
  "created_at": "2024-01-01T00:00:00Z",
  "last_login": "2024-02-01T12:00:00Z"
}

API Keys¶

For agent and automation use.

Create API Key¶

POST /api/agent-keys
Authorization: Bearer <token>
Content-Type: application/json

{
  "name": "CI/CD Pipeline",
  "key_type": "server",
  "expires_at": "2025-12-31T23:59:59Z",
  "permissions": ["products:read", "products:write"],
  "scan_vscode_extensions": false,
  "scan_code_dependencies": false
}

Field	Type	Default	Description
`name`	string	required	Descriptive name for the key
`key_type`	string	`"server"`	`"server"` for infrastructure or `"client"` for end-user workstations
`expires_at`	datetime	`null`	Optional expiration timestamp
`permissions`	string[]	`[]`	Permission scopes
`scan_vscode_extensions`	boolean	`false`	Enable VS Code extension scanning for agents using this key
`scan_code_dependencies`	boolean	`false`	Enable code dependency scanning (pip, npm, gem, cargo, go, composer)

Response:

{
  "id": 1,
  "name": "CI/CD Pipeline",
  "key": "sk_agent_xxxxxxxxxxxx",
  "key_prefix": "sk_agent_xxxxxxxxxxxx",
  "key_type": "server",
  "scan_vscode_extensions": false,
  "scan_code_dependencies": false,
  "expires_at": "2025-12-31T23:59:59Z",
  "created_at": "2024-01-01T00:00:00Z"
}

Key Security

The full API key is only shown once. Store it securely.

Key Type

Use "server" for infrastructure (servers, CI/CD, containers) and "client" for end-user machines (developer workstations, laptops). The dashboard provides a toggle to filter vulnerabilities by key type.

List API Keys¶

GET /api/agent-keys
Authorization: Bearer <token>

Revoke API Key¶

DELETE /api/agent-keys/{id}
Authorization: Bearer <token>

Using API Keys¶

API keys are used with the X-API-Key header:

curl https://sentrikat.example.com/api/products \
  -H "X-API-Key: sk_agent_xxxxxxxxxxxx"

Or as Bearer token:

curl https://sentrikat.example.com/api/products \
  -H "Authorization: Bearer sk_agent_xxxxxxxxxxxx"

Authentication API¶

Login¶

Logout¶

Refresh Token¶

Current User¶

API Keys¶

Create API Key¶

List API Keys¶

Revoke API Key¶

Using API Keys¶