Authentication

All Bug0 API requests must be authenticated.

Authentication Methods

1. API Key (Recommended)

Use API keys for CI/CD pipelines and automated integrations.

Header: x-api-key

curl -X POST https://app.bug0.com/api/run-tests \
  -H "x-api-key: bug0_abc123def456" \
  -H "Content-Type: application/json" \
  -d '{"projectId": "..."}'

Creating API Keys

Open your project in Bug0
Go to Project Settings → API Keys
Click Generate New Key
Copy and securely store the key

API keys are shown only once. Store them securely in your CI/CD secrets.

API Key Format

bug0_[random-string]

Example: bug0_sk_a1b2c3d4e5f6g7h8i9j0

Key Permissions

API keys are scoped to a single project and can:

Trigger test runs
Read test results

Keys cannot:

Modify tests or settings
Access other projects

2. Service Token

For internal Bug0 services and trusted integrations.

Header: x-bug0-service-token

curl -X POST https://app.bug0.com/api/run-tests \
  -H "x-bug0-service-token: your-service-token" \
  -H "Content-Type: application/json" \
  -d '{"projectId": "..."}'

Service tokens are for advanced integrations. Most users should use API keys.

3. User Session (Web App)

For requests from the Bug0 web application, session-based authentication is used automatically. This is not applicable for API integrations.

Security Best Practices

Do

Store API keys in CI/CD secrets
Use environment variables
Rotate keys periodically
Use separate keys per environment
Revoke compromised keys immediately

Don't

Commit keys to version control
Share keys via email or chat
Use production keys in development
Reuse keys across multiple systems

Storing API Keys

GitHub Actions

# In your workflow
env:
  BUG0_API_KEY: ${{ secrets.BUG0_API_KEY }}

GitLab CI

# In .gitlab-ci.yml
variables:
  BUG0_API_KEY: $BUG0_API_KEY  # Set in CI/CD settings

Environment Variables

export BUG0_API_KEY="bug0_sk_..."

Error Responses

401 Unauthorized

{
  "success": false,
  "error": "Invalid API key"
}

Causes:

API key is missing
API key is invalid
API key has been revoked

403 Forbidden

{
  "success": false,
  "error": "Access denied"
}

Causes:

API key doesn't have access to the project
Resource requires different permissions

Revoking API Keys

If a key is compromised:

Go to Project Settings → API Keys
Find the key (identified by prefix)
Click Revoke
Generate a new key
Update your CI/CD configuration

Revoked keys immediately stop working.

Testing Authentication

Verify your API key works:

curl -X POST https://app.bug0.com/api/run-tests \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"projectId": "YOUR_PROJECT_ID"}'

Expected response (success):

{
  "success": true,
  "message": "Tests triggered successfully"
}

Expected response (invalid key):

{
  "success": false,
  "error": "Invalid API key"
}