Authentication
All Public API requests must be authenticated with an API key.
Creating an API key
See API Keys → Public API Keys for step-by-step instructions.
Including the key in requests
Add the key to every request using the X-Api-Key header:
http
GET /api/v1/public/audit-activity
Host: api.kovoco.net
X-Api-Key: your-api-key-hereExample: curl
bash
curl https://api.kovoco.net/api/v1/public/audit-activity \
-H "X-Api-Key: your-api-key-here"Example: PowerShell
powershell
$headers = @{ "X-Api-Key" = "your-api-key-here" }
Invoke-RestMethod -Uri "https://api.kovoco.net/api/v1/public/audit-activity" -Headers $headersExample: C#
csharp
using var client = new HttpClient();
client.DefaultRequestHeaders.Add("X-Api-Key", "your-api-key-here");
var response = await client.GetAsync("https://api.kovoco.net/api/v1/public/audit-activity");Key scopes
When creating an API key, you select which scopes it has. Requests using a key that lacks the required scope return 403 Forbidden.
| Scope | Permitted endpoints | Status |
|---|---|---|
read:audit-activity | GET /audit-activity, GET /audit-activity/{recordId}, GET /audit-activity/summary | ✅ Active |
read:alerts | Alerts endpoints | Coming soon |
read:findings | Findings endpoints | Coming soon |
read:compliance | Compliance health endpoints | Coming soon |
read:reports | Report generation | Coming soon |
Rate limiting
Public API keys are subject to per-minute rate limits:
| Request type | Default limit |
|---|---|
GET (read) | 60 requests / minute |
Exceeding the limit returns:
http
HTTP/1.1 429 Too Many Requests
Retry-After: 15Wait the number of seconds indicated in the Retry-After header before retrying.
Key security
- Store keys in secrets managers (Azure Key Vault, GitHub Secrets, etc.)
- Never commit keys to source control
- Set an expiry date on keys when possible
- Revoke keys that are no longer needed
To revoke a key, see API Keys.