API Reference

Authentication

How to authenticate with the PentestPad API using API keys

Overview

The PentestPad API uses API key authentication. You'll need to include your API key in the Authorization header of every request.

Generating an API Key

1. Navigate to API Settings

Log into your PentestPad instance and go to your user settings or admin panel (depending on your permissions).

2. Create New API Key

Look for the "API Keys" or "API Access" section and click "Generate New Key".

3. Copy Your Key

Important!

Save your API key securely. You won't be able to see it again after closing the dialog.

Your API key will look something like this:

pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyD

Using Your API Key

Include your API key in the Authorization header using the Bearer scheme:

Authorization: Bearer pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyD

Examples

cURL

curl -H "Authorization: Bearer pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyD" \
     https://your-instance.pentestpad.com/api/v1/projects

JavaScript (Fetch)

const response = await fetch('https://your-instance.pentestpad.com/api/v1/projects', {
  headers: {
    'Authorization': 'Bearer pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyD',
    'Content-Type': 'application/json'
  }
});

Python (Requests)

import requests

headers = {
    'Authorization': 'Bearer pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyD',
    'Content-Type': 'application/json'
}

response = requests.get(
    'https://your-instance.pentestpad.com/api/v1/projects',
    headers=headers
)

Authentication Errors

If authentication fails, you'll receive a 401 Unauthorized or 403 Forbidden response:

{
  "success": false,
  "message": "Unauthorized. Please provide a valid API key."
}

Common Issues

  • Missing Authorization Header - Make sure you're including the header in every request
  • Invalid API Key - Verify your API key is correct and hasn't been revoked
  • Expired Key - Some API keys may have expiration dates
  • Insufficient Permissions - Your API key may not have permission for certain operations

Security Best Practices

Security

  • Never commit API keys to version control
  • Store API keys as environment variables
  • Rotate keys regularly
  • Use different keys for different environments
  • Revoke unused keys immediately

Environment Variables

Store your API key as an environment variable:

export PENTESTPAD_API_KEY="pp_3kqz6Pj58v86KmPMkTmCUmpt2ZJWCqZR0LbGOHyD"

Then reference it in your code:

const apiKey = process.env.PENTESTPAD_API_KEY;

Key Management

Viewing Active Keys

You can view all your active API keys in the settings panel. Each key shows:

  • Creation date
  • Last used date
  • Permissions level
  • Key prefix (for identification)

Revoking Keys

To revoke an API key:

  1. Go to your API Keys settings
  2. Find the key you want to revoke
  3. Click "Revoke" or "Delete"
  4. Confirm the action

Note

Revoking a key immediately stops all requests using that key.

API Reference

Complete guide to the PentestPad REST API for managing projects, findings, teams, and more

Teams API

Manage teams and team-based filtering with the PentestPad API

On this page

OverviewGenerating an API Key1. Navigate to API Settings2. Create New API Key3. Copy Your KeyUsing Your API KeyExamplescURLJavaScript (Fetch)Python (Requests)Authentication ErrorsCommon IssuesSecurity Best PracticesEnvironment VariablesKey ManagementViewing Active KeysRevoking Keys