Authentication
The PentestPad API uses API key authentication. You’ll need to include your API key in the Authorization header of every request.
Generating an API Key
Section titled “Generating an API Key”1. Navigate to API Settings
Section titled “1. Navigate to API Settings”Log into your PentestPad instance and go to your user settings or admin panel (depending on your permissions).
2. Create New API Key
Section titled “2. Create New API Key”Look for the “API Keys” or “API Access” section and click “Generate New Key”.
3. Copy Your Key
Section titled “3. Copy Your Key”Your API key will look something like this:
pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyDUsing Your API Key
Section titled “Using Your API Key”Include your API key in the Authorization header using the Bearer scheme:
Authorization: Bearer pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyDExamples
Section titled “Examples”curl -H "Authorization: Bearer pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyD" \ https://your-instance.pentestpad.com/api/v1/projectsJavaScript (Fetch)
Section titled “JavaScript (Fetch)”const response = await fetch('https://your-instance.pentestpad.com/api/v1/projects', { headers: { 'Authorization': 'Bearer pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyD', 'Content-Type': 'application/json' }});Python (Requests)
Section titled “Python (Requests)”import requests
headers = { 'Authorization': 'Bearer pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyD', 'Content-Type': 'application/json'}
response = requests.get( 'https://your-instance.pentestpad.com/api/v1/projects', headers=headers)Authentication Errors
Section titled “Authentication Errors”If authentication fails, you’ll receive a 401 Unauthorized or 403 Forbidden response:
{ "success": false, "message": "Unauthorized. Please provide a valid API key."}Common Issues
Section titled “Common Issues”- Missing Authorization Header - Make sure you’re including the header in every request
- Invalid API Key - Verify your API key is correct and hasn’t been revoked
- Expired Key - Some API keys may have expiration dates
- Insufficient Permissions - Your API key may not have permission for certain operations
Security Best Practices
Section titled “Security Best Practices”Environment Variables
Section titled “Environment Variables”Store your API key as an environment variable:
export PENTESTPAD_API_KEY="pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyD"Then reference it in your code:
const apiKey = process.env.PENTESTPAD_API_KEY;Key Management
Section titled “Key Management”Viewing Active Keys
Section titled “Viewing Active Keys”You can view all your active API keys in the settings panel. Each key shows:
- Creation date
- Last used date
- Permissions level
- Key prefix (for identification)
Revoking Keys
Section titled “Revoking Keys”To revoke an API key:
- Go to your API Keys settings
- Find the key you want to revoke
- Click “Revoke” or “Delete”
- Confirm the action