API Keys
API Keys are the long-lived credentials used by the CLI and CI/CD pipelines to authenticate with Gerion. They are managed from the dashboard — there is no public endpoint to create or revoke them.
Creating an API Key
- Log in to the dashboard at
https://app.gerion.dev. - Go to Settings → API Keys.
- Click Create New Key.
- Fill in the fields:
- Name: descriptive name (e.g.
jenkins-prod). - Client ID: unique client identifier, 3–50 alphanumeric characters with
.,-,_. Must be unique within your organization and match theclient_idyou use when calling the authentication endpoint. - Permissions: select the required permissions (see table below).
- Expires at: optional expiration date. Recommended for CI/CD credentials.
- Name: descriptive name (e.g.
- Copy the generated API Key. You will not be able to see it again.
Available permissions
| Permission | Description |
|---|---|
write:findings | Upload security findings (POST /api/v1/findings). Required for the CLI. |
read:findings | Query findings (internal access via dashboard). |
For standard CLI use, the minimum required permission is write:findings.
Using keys in CI/CD
Once created, configure the key as a secret in your pipeline and reference it as environment variables:
# Variables required by the CLIGERION_API_URL=https://api.gerion.devGERION_API_KEY=<your-api-key>GERION_CLIENT_ID=<your-client-id>See the CI/CD guides section for platform-specific examples.
Revoking or deleting an API Key
From the dashboard under Settings → API Keys, you can:
- Revoke: disables the key immediately without deleting it (auditable).
- Delete: permanently removes the key.
Any JWT generated with a revoked or deleted key will become invalid on the next verification.
Recommended rotation policy
- Production CI/CD: rotate every 90 days. Use the expiration date to enforce this.
- Development runners: no expiration is acceptable if the environment is isolated.
- In case of a leak, revoke immediately from the dashboard and create a new key.