API Authentication

The Vidoc API uses API keys for authentication. All requests must include a valid API key.

Getting an API Key

Go to app.vidocsecurity.com
Select your project
Navigate to Settings → API Keys
Click “Create API Key”
Copy and store the key securely

See API Keys for detailed management.

Authentication Methods

Bearer Token (Recommended)

Include the API key in the Authorization header:

curl -X POST https://api.vidocsecurity.com/v1/scan-workflows/start \
  -H "Authorization: Bearer your-api-key" \
  -H "Content-Type: application/json" \
  -d '{"codebaseId": "...", "branch": "main"}'

Header Token

Alternatively, use the X-API-Key header:

curl -X POST https://api.vidocsecurity.com/v1/scan-workflows/start \
  -H "X-API-Key: your-api-key" \
  -H "Content-Type: application/json" \
  -d '{"codebaseId": "...", "branch": "main"}'

Base URL

All API requests use:

https://api.vidocsecurity.com/v1

Request Format

Headers

Header	Required	Description
`Authorization`	Yes	`Bearer your-api-key`
`Content-Type`	Yes (POST/PUT)	`application/json`

Request Body

POST and PUT requests use JSON:

{
  "codebaseId": "abc123",
  "branch": "main"
}

Response Format

Success Response

{
  "id": "scan-123",
  "status": "pending",
  "createdAt": "2024-01-15T10:30:00Z"
}

Error Response

{
  "statusCode": 401,
  "message": "Invalid API key",
  "error": "Unauthorized"
}

Error Codes

Code	Description
`401`	Invalid or missing API key
`403`	Key doesn’t have permission
`404`	Resource not found
`429`	Rate limit exceeded
`500`	Server error

Rate Limits

Operation	Limit
Start scan	10 per minute
Get status	100 per minute
List issues	100 per minute

Rate limit headers are included in responses:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1705315200

Code Examples

JavaScript/Node.js

const response = await fetch('https://api.vidocsecurity.com/v1/scan-workflows/start', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.VIDOC_API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    codebaseId: 'abc123',
    branch: 'main',
  }),
});

const data = await response.json();

Python

import requests
import os

response = requests.post(
    'https://api.vidocsecurity.com/v1/scan-workflows/start',
    headers={
        'Authorization': f'Bearer {os.environ["VIDOC_API_KEY"]}',
        'Content-Type': 'application/json',
    },
    json={
        'codebaseId': 'abc123',
        'branch': 'main',
    }
)

data = response.json()

cURL

curl -X POST https://api.vidocsecurity.com/v1/scan-workflows/start \
  -H "Authorization: Bearer $VIDOC_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"codebaseId": "abc123", "branch": "main"}'

Security Best Practices

Never commit API keys - Use environment variables
Rotate keys regularly - Create new keys every 90 days
Use separate keys - One per environment/purpose
Monitor usage - Check last used timestamps
Revoke compromised keys - Immediately if exposed

API Keys

Manage API keys

Scanning API

Start scans via API

Issues API

Access issues via API

CLI Authentication

CLI auth methods

Get Started

Dashboard

GitHub Integration

CLI

Security Categories

Settings

API Reference

Other Integrations

API Authentication

Getting an API Key

Authentication Methods

Bearer Token (Recommended)

Header Token

Base URL

Request Format

Headers

Request Body

Response Format

Success Response

Error Response

Error Codes

Rate Limits

Code Examples

JavaScript/Node.js

Python

cURL

Security Best Practices

API Keys

Scanning API

Issues API

CLI Authentication

Get Started

Dashboard

GitHub Integration

CLI

Security Categories

Settings

API Reference

Other Integrations

​Getting an API Key

​Authentication Methods

​Bearer Token (Recommended)

​Header Token

​Base URL

​Request Format

​Headers

​Request Body

​Response Format

​Success Response

​Error Response

​Error Codes

​Rate Limits

​Code Examples

​JavaScript/Node.js

​Python

​cURL

​Security Best Practices

​Related Pages

API Keys

Scanning API

Issues API

CLI Authentication

Getting an API Key

Authentication Methods

Bearer Token (Recommended)

Header Token

Base URL

Request Format

Headers

Request Body

Response Format

Success Response

Error Response

Error Codes

Rate Limits

Code Examples

JavaScript/Node.js

Python

cURL

Security Best Practices

Related Pages