Authentication

Sirius Scan uses API key authentication to secure REST API requests. All endpoints (except the health check at /health) require a valid API key.

API Key Sources

Sirius supports two types of API keys:

• Infrastructure key -- set via the SIRIUS_API_KEY environment variable when deploying Sirius. This key is checked first on every request.
• Dynamic keys -- additional keys stored in the Valkey key-value store, allowing runtime key management without redeployment.

Using API Keys

REST API

Include your API key in the X-API-Key header of your HTTP requests:

curl -X GET "http://localhost:9001/host" \
  -H "X-API-Key: YOUR_API_KEY"

Environment Variables

Set the infrastructure API key when deploying Sirius:

export SIRIUS_API_KEY=your_api_key

curl -X GET "http://localhost:9001/host" \
  -H "X-API-Key: $SIRIUS_API_KEY"

Unauthenticated Endpoints

The following endpoints do not require an API key:

• GET /health -- service health check

Best Practices

1. Never hardcode API keys in your application code or version control
2. Use environment variables or secure secret management systems
3. Rotate API keys periodically
4. Use separate API keys for different environments (development, staging, production)

Response Codes

Example Error Response

Invalid or Missing API Key

{
  "error": "Invalid API key"
}

Next Steps

• Browse API Endpoints
• View Go SDK Documentation
• Learn about Error Handling