Authentication
Create and manage API keys for programmatic access to CVEium CIS.
API keys provide secure, scoped access to the CVEium CIS API for CI/CD pipelines, scripts, and external integrations.
Creating an API Key
- Navigate to Settings > API Keys in your team workspace.
- Click Create API Key.
- Enter a descriptive name (e.g.
ci-pipeline-prod). - Select the scopes the key needs (least-privilege recommended).
- Optionally set an expiration (30, 90, 180, or 365 days).
- Copy the key immediately — it is shown only once.
Keys are prefixed with cvk_ followed by 64 hex characters.
Using an API Key
Pass the key as a Bearer token in the Authorization header:
curl -H "Authorization: Bearer cvk_YOUR_KEY_HERE" \ https://cis.cveium.com/api/products
If no API key is present, the server falls back to session-based authentication (browser cookies).
Scopes
Each key carries one or more scopes that control what it can access. Select only the scopes your integration needs.
| Scope | Permission |
|---|---|
products:read | List and view products |
products:write | Create, update, and delete products |
releases:read | List and view releases |
releases:write | Create and update releases |
sboms:read | Download SBOM files |
sboms:write | Upload new SBOMs |
vulnerabilities:read | View vulnerability scan results |
dispositions:read | View triage decisions |
dispositions:write | Create and update triage decisions |
vex:read | View VEX documents and approvals |
vex:write | Generate, submit, approve, reject, publish VEX |
disclosures:read | List and download published disclosures |
compliance:read | Download compliance reports |
audit:read | Export audit log entries |
cve:trigger | Trigger CVE scans |
A request to an endpoint that requires a scope the key does not carry returns 403 Forbidden.
Service Accounts
Each API key is backed by a service account — a real user entry with team membership. This means:
- Row-Level Security (RLS) is enforced identically to browser sessions. API requests can only access data belonging to the key's team.
- Audit attribution: actions are attributed to the service account in the audit log (e.g.
api_ci-pipeline-prod). - Service accounts do not appear in the team members list and do not count toward billing quotas.
Revoking a Key
- Go to Settings > API Keys.
- Click the Revoke button next to the key.
- Confirm in the dialog.
Revoked keys are immediately rejected. The associated service account is deleted automatically. Revocation is permanent and logged in the audit trail.
Security
- Keys are hashed with SHA-256 before storage — plaintext is never persisted.
- Hash comparison uses constant-time evaluation to prevent timing attacks.
- All key creation and revocation events are recorded in the audit log.
- Keys are scoped to a single team account.
- Expired keys are automatically rejected.
- Only team members with the settings.manage permission can create or revoke keys.