Authentication
Authenticate to the WASViking REST API with an ApiKey scheme. Bearer is silently rejected.
The WASViking® public REST API uses the ApiKey
authentication scheme. Tokens look like wv_live_* for production and
wv_test_* for test environments.
Header
Authorization: ApiKey wv_live_xxxxxxxxxxxxxxxxxxxx
Important. The scheme is
ApiKey, notBearer. A request withAuthorization: Bearer wv_live_…returns 401 with no body. This is a deliberate hard rule, not a bug.
Issuing a key
Go to Settings → API Keys → New key. The portal shows the key once at creation time. After that the key is stored hashed; the portal can display only a prefix and the masked tail.
| Field | Notes |
|---|---|
| Name | Operator-readable identifier (ci-prod, siem-export). |
| Scopes | Subset of the scope catalog. Least privilege wins. |
| Expiration | Optional. Recommended for keys handed to vendors. |
| IP allow-list | Optional. Limits where the key can be used from. |
Scopes (excerpt)
| Scope | Allows |
|---|---|
scans:run |
Trigger scans (including via templates). |
scans:read |
Read scan status and reports. |
findings:read |
Read findings, evidence, AI recommendations. |
findings:update |
Status transitions, comments, assignment. |
inventory:read |
Read Asset Inventory. |
inventory:export |
CSV export. |
audit_logs:read |
Read the customer-facing audit log. |
sca:submit |
Submit SBOM documents from Sentinel. |
sca:read |
Read SBOM inventory and Supply Chain Watch. |
secrets:submit |
Submit secret detections from Sentinel. |
templates:read |
Resolve org-scoped scan templates by slug. |
webhooks:manage |
Create and rotate webhook subscriptions. |
api_keys:manage |
Issue and rotate API keys (Admin role only by default). |
The full list is at Settings → API Keys → Scopes.
Rate limits
Default rate limits apply per key:
- 600 requests per minute for read endpoints.
- 60 requests per minute for write endpoints.
- 12 concurrent scans triggered via API per org (configurable).
Rate-limited responses return 429 with a Retry-After header in
seconds.
Errors
Common errors:
| Status | Meaning |
|---|---|
401 |
Missing, malformed, or revoked key. |
403 |
Key valid but lacks the required scope. |
404 |
Resource does not exist in the key's organization. |
409 |
Conflict (e.g., target already exists). |
422 |
Validation error. Body is JSON with the failing fields. |
429 |
Rate limited. |
5xx |
Server-side. Retry with exponential backoff. |
Error body schema:
{
"error": "rate_limited",
"message": "API rate limit exceeded. Retry in 30 seconds.",
"request_id": "req_8fae22c4",
"details": {}
}
request_id is logged on both sides. Quote it when contacting support.
Rotating a key
In the portal: Settings → API Keys → Rotate. The old key keeps working for 24 hours (overlap window) so you can roll your CI without downtime. After 24 hours the old key is hard-revoked.
For incident response, Revoke now kills the key immediately.
Curl example
curl -sS https://api.wasviking.com/v1/findings \
-H "Authorization: ApiKey ${WASVIKING_API_KEY}" \
-H "Accept: application/json"
SDKs
There is no official SDK at this time. The API is small and JSON-only;
your standard HTTP client is enough. Examples on the next pages use
curl.
Test environment
Test keys (wv_test_*) operate against a separate environment with
synthetic data. Use them for SDK builds and contract tests; do not
mix live and test keys in the same pipeline.