Authentication
The Fegura API uses API keys for authentication. Include your API key in theAuthorization header of every request using the Bearer token format.
API Keys
API keys are created from your API Keys settings page. Each key has a specific scope that determines what operations it can perform.
Key Formats
Fegura API keys follow these formats:
feg_live_*- Production keys with full accessfeg_test_*- Test keys for development
Important: Keep your API keys secure. Never expose them in client-side code, public repositories, or logs.
Making Authenticated Requests
Include your API key in the Authorization header:
curl https://api.fegura.ai/api/accounts \
-H "Authorization: Bearer feg_live_your_api_key" \
-H "Fegura-Version: 2026-02-01"Request Headers
| Parameter | Type | Description |
|---|---|---|
Authorizationrequired | string | Bearer token with your API key (e.g., Bearer feg_live_xxx) |
Fegura-Version | string | API version date. Defaults to the version your key was created with.Default: 2026-02-01 |
Content-Type | string | Required for POST/PATCH requests with a bodyDefault: application/json |
Scopes
API keys can be created with different scopes to limit their permissions. Choose the most restrictive scope that meets your needs.
| Scope | Permissions | Use Case |
|---|---|---|
read | Read accounts, scans, and diagrams | Dashboards, reporting, integrations |
write | Create scans and trigger operations | CI/CD pipelines, automation scripts |
Authentication Errors
When authentication fails, the API returns a 401 Unauthorized response:
{
"success": false,
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid or missing API key"
}
}Common Authentication Errors
| Error | Cause | Solution |
|---|---|---|
| Missing API key | No Authorization header provided | Add Authorization: Bearer your_key |
| Invalid API key | Key doesn't exist or was revoked | Check key in settings, create new if needed |
| Insufficient scope | Key scope doesn't allow the operation | Use a key with the required scope |
Security Best Practices
- Use environment variables - Store API keys in environment variables, never hardcode them in source code.
- Rotate keys regularly - Create new keys periodically and revoke old ones.
- Use minimal scopes - Create keys with only the permissions they need.
- Monitor usage - Review API key activity in your dashboard for unusual patterns.
- Never expose keys - Don't include keys in URLs, logs, or client-side code.