Developers

Authentication

Every request to /api/v1 is authenticated with a bearer key. Keys are full-scope by default so an agent can operate index365 out of the box, organization-scoped, and revocable instantly.

Get a key

  1. Use any workspace (every plan, including Free), then open your workspace's API Keys page in the dashboard.
  2. Create a key. Every key carries the full agent scope, so it can run audits and manage projects out of the box.
  3. Copy the secret at creation, or re-reveal it any time from the dashboard API Keys page. Keys are stored encrypted (and hashed for lookup); the list view shows a masked i365_ prefix and suffix.

Make an authenticated request

Send the key in the Authorization header. Query-string tokens are rejected by design. GET /api/v1/me works with any valid key and is the right first call.

curl -s https://index365.co/api/v1/me \
  -H "Authorization: Bearer i365_..."

The response returns your organization, the scopes on the key, and the contract version, so an agent can confirm what it is allowed to do before it acts.

Scopes

Every key carries the full scope set: index365 is built for AI agents that operate the whole audit work area, so a key can run audits and manage projects out of the box. Keys cannot touch account or billing data, which stays in the dashboard. The table below is the reference for what each scope grants. What bounds a key is its organization (every request is org-scoped server-side), instant revocation, the per-request audit log, and per-key rate limiting.

ScopeGrants
projects:read, runs:read, findings:read, reports:readRead access to projects, runs, findings, and reports. Included in every key.
runs:writeStart audits. Spends organization credits, so grant it deliberately.
projects:write, projects:deleteCreate projects (idempotent by domain) and delete them. Delete requires echoing the project's exact domain as confirm.
Operate the whole tool

Every key is full scope by design, so an agent can run audits and apply fixes immediately. Keep a separate key per integration and revoke any of them instantly, without affecting the others.

Security model

  • Key secrets are stored encrypted at rest plus a sha256 hash for lookup, so the dashboard can re-reveal a key on demand while authentication stays constant-time.
  • Every request is scoped to the key's organization server-side. Object ids from other organizations return 404, not 403, so existence never leaks.
  • Every key carries the full scope set; the org boundary, instant revocation, and the audit log are the controls.
  • Every API request lands in an audit log with method, path, and status.
  • Per-key rate limiting applies; a 429 includes Retry-After.