Skip to main content

Token types

Strix supports two types of API tokens:

Personal tokens

  • Tied to a specific user
  • Default to 90-day expiry
  • Best for individual scripts and local tooling

Service keys

  • Org-level, not tied to a user
  • Can be long-lived (no default expiry)
  • Best for CI/CD pipelines and production integrations
  • Only org admins can create service keys

Default scopes

Service keys default scopes: 
scans:read, scans:write, vulnerabilities:read, vulnerabilities:write,
schedules:read, schedules:write, assets:read, webhooks:read
Personal tokens default scopes: 
scans:read, scans:write, vulnerabilities:read, vulnerabilities:write,
schedules:read, schedules:write, assets:read
webhooks:write and tokens:write are admin-only scopes and must be explicitly added when creating a token. You can customize scopes when creating a token.

Using tokens

Include the token in the Authorization header: 
curl -X GET "https://app.strix.ai/api/v1/scans" \
  -H "Authorization: Bearer <YOUR_API_TOKEN>"

Best practices

  • Apply least-privilege scopes per integration
  • Rotate tokens regularly, especially service keys
  • Revoke tokens immediately if compromised — revoked tokens stop working on the next request
  • Use personal tokens for development and service keys for production