Docs / API Reference

Authentication

Session cookie

After POST /v1/auth/login or POST /v1/auth/register, the gateway sets an HTTP-only session cookie. Browser requests to the dashboard and API include this cookie automatically.

Bearer token

For scripts and CI, use an API key or the operator static token:

curl -H "Authorization: Bearer $BREACHFIX_CLOUD_API_TOKEN" \
  https://cloud.breachfix.com/v1/services

API keys

Create keys under dashboard Settings. Keys are scoped to your workspace (default workspace until multi-workspace API scoping ships).

OAuth sign-in

GET /v1/auth/providers lists enabled OAuth providers (GitHub, Google, Apple) when env vars are configured on the control plane.

Unauthorized responses

Missing or invalid credentials return HTTP 401. Some routes return 501 when optional integrations are not configured (GitHub App, billing).