ModernPentestModernPentest

Authentication

API authentication and key management

Authentication

All API requests require authentication using API keys.

API Keys

Creating Keys

  1. Go to Settings > API Keys
  2. Click Generate New Key
  3. Add a description (e.g., "CI/CD Pipeline")
  4. Select permissions scope
  5. Click Create

Your API key is only shown once. Copy it immediately and store it securely.

Key Permissions

ScopeCapabilities
ReadView applications, pentests, and reports
WriteCreate and modify applications
ScanTrigger and manage pentests
AdminFull access including key management

Key Management

  • List keys - View all active API keys
  • Revoke key - Immediately disable a key
  • Rotate key - Generate new key, old key expires in 24h

Using API Keys

Authorization Header

Include your API key in the Authorization header:

curl -X GET https://api.modernpentest.com/v1/applications \
  -H "Authorization: Bearer YOUR_API_KEY"

Request Example

const response = await fetch('https://api.modernpentest.com/v1/applications', {
  headers: {
    'Authorization': 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json'
  }
});

Security Best Practices

Do

  • Store keys in environment variables
  • Use secrets management (Vault, AWS Secrets Manager)
  • Create separate keys per environment
  • Rotate keys regularly
  • Use minimum required permissions

Don't

  • Commit keys to version control
  • Share keys via email or chat
  • Use production keys in development
  • Give admin scope unnecessarily
  • Log API keys

Environment Variables

Shell

export MODERNPENTEST_API_KEY="mp_live_xxxxx"

.env File

MODERNPENTEST_API_KEY=mp_live_xxxxx

Add .env to .gitignore:

.env
.env.local

CI/CD

Store as secret in your CI/CD platform:

GitHub Actions:

env:
  MODERNPENTEST_API_KEY: ${{ secrets.MODERNPENTEST_API_KEY }}

GitLab CI:

variables:
  MODERNPENTEST_API_KEY: $MODERNPENTEST_API_KEY

Key Format

API keys follow this format:

mp_{environment}_{random_string}
PrefixEnvironment
mp_live_Production
mp_test_Development/Staging

Error Responses

401 Unauthorized

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or missing API key"
  }
}

Causes:

  • Missing Authorization header
  • Invalid API key format
  • Revoked API key

403 Forbidden

{
  "error": {
    "code": "FORBIDDEN",
    "message": "Insufficient permissions for this action"
  }
}

Causes:

  • Key lacks required scope
  • Attempting cross-organization access
  • Resource-level restrictions

Last updated: December 8, 2025

API Overview

Integrate ModernPentest into your workflows with our REST API

Applications

API endpoints for managing applications

On this page

AuthenticationAPI KeysCreating KeysKey PermissionsKey ManagementUsing API KeysAuthorization HeaderRequest ExampleSecurity Best PracticesDoDon'tEnvironment VariablesShell.env FileCI/CDKey FormatError Responses401 Unauthorized403 Forbidden