Overview
API keys authenticate agents and CI/CD integrations. Keys start with cg_ and are bcrypt-hashed before storage — ChangeGuard never stores plaintext keys.
Creating Keys
Dashboard: Go to Integrations → API Keys → Create Key
API:
curl -X POST https://api.changeguard.ai/api/keys \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/json" \
-d '{"name": "Production Agent", "scope": "agent"}'
The full key is returned only once at creation. Store it securely — you cannot retrieve it later.
Scopes
| Scope | Permissions |
|---|
agent | Push snapshots (/ingest), push logs (/ingest/logs), ArgoCD discovery |
cicd | Deployment validation (/api/validate) |
full | All API access |
How Authentication Works
- Agent sends
X-API-Key: cg_your_key_here header
- Backend extracts the first 10 characters as the prefix
- Looks up the key by prefix in the database
- Verifies the full key against the bcrypt hash
- Sets the tenant context from the key’s tenant ID
The tenant is derived from the API key — agents don’t need to know their tenant ID.
Revoking Keys
Dashboard: Integrations → click Revoke on the key
API:
curl -X DELETE https://api.changeguard.ai/api/keys \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/json" \
-d '{"key_id": "cg_abcd1234"}'
Key Rotation
- Create a new key
- Update the agent secret with the new key
- Restart the agent
- Verify pushes succeed with the new key
- Revoke the old key
