Authentication
Session cookie
After POST /v1/auth/login or POST /v1/auth/register, the gateway sets an HTTP-only session cookie. Browser requests to the dashboard and API include this cookie automatically.
Bearer token
For scripts and CI, use an API key or the operator static token:
curl -H "Authorization: Bearer $BREACHFIX_CLOUD_API_TOKEN" \ https://cloud.breachfix.com/v1/services
API keys
Create keys under dashboard Settings. Keys are scoped to your workspace (default workspace until multi-workspace API scoping ships).
OAuth sign-in
GET /v1/auth/providers lists enabled OAuth providers (GitHub, Google, Apple) when env vars are configured on the control plane.
Unauthorized responses
Missing or invalid credentials return HTTP 401. Some routes return 501 when optional integrations are not configured (GitHub App, billing).