Skip to main content

Authentication

RepoRisk API keys use HTTP Bearer token authentication. Every request to the API must include the key in the Authorization header.

Generating an API Key

  1. Sign in to RepoRisk as a parent-org (top-level) admin. Sub-organization admins do not have permission to manage API keys and will encounter a permission error if they attempt these steps.
  2. Navigate to Settings (gear icon in the sidebar).
  3. Scroll to the API Access card.
    • If your organization is on Tier 1 or Tier 2 you will see an upgrade notice instead — contact us to upgrade.
    • Only parent-org admins will see the New API Key button; sub-org admins will see a permission error.
  4. Click New API Key.
  5. Enter a descriptive label (e.g., CI Pipeline, Security Audit Script).
  6. Optionally, select a Sub-Organization to scope the key's access to a single sub-org.
  7. Click Create.
  8. Copy the key from the reveal dialog immediately — it will not be shown again.

The key preview (e.g., rrk_live_AbCd••••Xy1z) is stored and displayed in the key list so you can identify your keys later, but only the hash is retained server-side.

Using the Key

Include the full key as a Bearer token in the Authorization header of every request:

GET /api/v1/repos HTTP/1.1
Host: api.canirunthat.com
Authorization: Bearer rrk_live_AbCdEfGhIjKlMnOpQrStUvWxYz0123456789_abcdef

curl

curl -H "Authorization: Bearer $REPORISK_API_KEY" \
     https://api.canirunthat.com/api/v1/repos

Python (requests)

import os
import requests

headers = {"Authorization": f"Bearer {os.environ['REPORISK_API_KEY']}"}
resp = requests.get("https://api.canirunthat.com/api/v1/repos", headers=headers)
resp.raise_for_status()

Sub-Org-Scoped Keys

When you create a key scoped to a sub-organization, that key can only access repositories and extensions that belong to that sub-org:

  • GET /api/v1/repos returns only repos in the scoped sub-org.
  • POST /api/v1/repos/analyze automatically assigns new submissions to the scoped sub-org.
  • GET /api/v1/repos/{repo_id}/... returns 403 if the repository belongs to a different sub-org.
  • POST /api/v1/extensions/submit-url automatically assigns the extension to the scoped sub-org.
  • POST /api/v1/extensions/upload automatically assigns the uploaded extension to the scoped sub-org.

Org-wide keys (no sub-org selected at creation) have full access to all sub-orgs within the organization.

Revoking a Key

  1. Go to Settings → API Access.
  2. Find the key you want to revoke in the list.
  3. Click the Revoke button and confirm.

Revoked keys are rejected immediately on the next request. Revocation is permanent — create a new key if you need access again.

note

If a sub-organization is archived or deleted, all API keys scoped to that sub-org are automatically revoked.

Security Best Practices

  • Store keys in environment variables or a secrets manager — never hard-code them in source code.
  • Create one key per integration so you can revoke individual keys without disrupting others.
  • Rotate keys periodically and immediately if you suspect a key has been compromised.
  • Use sub-org-scoped keys when an integration only needs access to a single sub-organization.