API Keys
Generate and manage API keys for API access and programmatic integrations with Seenty.
API Keys
API keys allow you to authenticate with Seenty programmatically for custom integrations. They are tied to your organization, not to individual user accounts.
API keys require the Starter plan or higher. The Hobby plan does not include API key access.
What API keys are used for
- API access -- Access Seenty's API endpoints to integrate with custom tools and workflows.
- Programmatic integrations -- Build automations and connect Seenty with your existing toolchain.
Creating an API key
Navigate to API key settings
Go to Settings > Organization > API Keys.
Generate a new key
Click Generate New Key. Enter a descriptive name that identifies the key's purpose -- for example, "GitHub Actions CI", "Local development", or "Terraform integration".
Set an expiration (optional)
Choose an expiration date if you want the key to automatically stop working after a set time. This is recommended for CI/CD keys as a security best practice. Keys without an expiration remain valid until manually revoked.
Copy and store the key
The full API key is displayed once after creation. Copy it immediately and store it in a secure location (password manager, CI/CD secret store, etc.).
API keys are SHA-256 hashed before being stored. After you close the creation dialog, the full key cannot be retrieved. If you lose a key, revoke it and generate a new one.
Key format
All Seenty API keys follow the format:
sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxThe sk_live_ prefix identifies it as a Seenty production key. This makes it easy to identify accidentally committed keys in code reviews or secret scanning tools.
Key properties
Each API key has the following properties visible in the dashboard:
| Property | Description |
|---|---|
| Name | The descriptive label you chose when creating the key |
| Created | When the key was generated |
| Expiration | Optional date after which the key stops working |
| Last used | The most recent time the key was used for an API call |
| Status | Active or Revoked |
Revoking a key
To revoke a key:
- Go to Settings > Organization > API Keys.
- Find the key in the list.
- Click Revoke.
Revocation is immediate. Any scan, API call, or pipeline using the revoked key will fail with an authentication error from that moment forward. Revoking a key does not affect data that was previously uploaded using it -- historical scan results and findings are preserved.
API key limits by plan
| Plan | API Key Limit |
|---|---|
| Hobby | 0 |
| Starter | 1 |
| Pro | 5 |
| Ultra | 10 |
| Enterprise | Unlimited |
Best practices
- Use descriptive names -- Name each key after its specific purpose so you know exactly which key to revoke if one is compromised. Avoid generic names like "test" or "key1".
- Set expiration dates -- Especially for keys used in CI/CD. Even if a key is leaked, it will stop working after the expiration date.
- Rotate keys regularly -- Generate a new key, update your integrations to use it, then revoke the old one. Quarterly rotation is a reasonable cadence for most teams.
- Never commit keys to source code -- Use environment variables (
SEENTY_TOKEN) or your CI platform's secret management feature. If a key is accidentally committed, revoke it immediately and generate a new one. - One key per integration -- Use separate keys for different pipelines and tools. This way, revoking one key does not disrupt unrelated integrations.