API tokens

API tokens let scripts, CI pipelines, and integrations call the Pwnkemon REST API without going through your browser session. They are the recommended way to automate scans.

Creating a token

1. Sign in to the dashboard.
2. Open API tokens from the sidebar.
3. Click New token, give it a memorable name (e.g. github-ci), and optionally set an expiry.
4. Copy the token. This is the only time you'll see the raw value — we only store a hash.

Tokens start with the prefix pt_ followed by 32 random bytes of base64url. They look like pt_abc123...xyz789.

Using a token

Pass the token in the Authorization header on every request:

curl https://pwnkemon.com/api/auth/me \
  -H "Authorization: Bearer pt_abc123...xyz789"

Token scoping

Tokens authenticate as the user who created them, with the same permissions that user has. They inherit the user's plan, target verifications, and rate limits.

Tokens cannot create other tokens, perform billing actions, or change plan settings. Those require a browser session.

Revoking a token

Open API tokens, find the token by name, and click the revoke button. Revocation is immediate — the token can't be used after that, even if it hasn't reached its expiry.

If you suspect a token has been leaked (committed to a public repo, sent in plaintext, etc.), revoke it immediately and rotate.

Best practices

• One token per integration. If a key leaks, you can revoke just that one.
• Set an expiry. 90 days is a sensible default. We'll alert you when a token is approaching expiry.
• Use secrets management. Store tokens in GitHub Actions secrets, AWS Secrets Manager, etc. Never commit them.
• Rotate periodically. Especially after any contractor or team member offboarding.

Plan availability

API tokens are available on Starter and above. The Free plan can't mint tokens — programmatic access requires a paid plan.