Skip to main content

Security

API keys

PrefixUsage
f0_live_*Production API keys
Keys are bound to an organization tenant. Raw secrets are shown once at creation; only a SHA-256 hash is stored server-side.

Scopes

ScopePermissions
readList, verify, export, stream
writeIngest events (POST /v1/events*)
Write routes reject read-only keys with 403 forbidden.

Authentication surfaces

SurfaceAuth mechanism
Audit ingestBearer API key (write)
Audit readsAPI key or dashboard JWT (DualAuth)
SSE streamAPI key or single-use SSE ticket
Share linksShare bearer token
Dashboard /v1/me/*Better Auth JWT
Telemetry /api/v1/*Bearer API key (write for ingest; read for queries)

Key rotation

  1. Create a new key in Settings → API Keys
  2. Deploy the new key to your agents
  3. Revoke the old key - revoked keys return 401 immediately
Read-only public share links allow secure access to a specific subset of audit events. The generated link URL embeds a secure one-time secret token (e.g., shr_ULID_SECRET) which authorizes the auditor’s browser to fetch the compliant views. Access can be revoked at any time from the dashboard.

Data retention

Retention sweeps are plan-scoped. See dashboard Settings → Plan for your organization’s retention window.