Authentication
BreachSpider supports two authentication methods depending on your use case.
API Key Authentication (Recommended for Integrations)
Include your API key as a Bearer token in the Authorization header.
curl -H "Authorization: Bearer bs_live_your_key_here" \
"https://breachspider.com/api/v1/cves"
API keys:
- Require Professional tier or above
- Are prefixed with
bs_live_for easy identification in code and logs - Are stored as SHA-256 hashes - the raw key is shown only once at generation
- Can be scoped to
read,write, oralertspermissions - Can be set to expire after 30, 90, or 365 days, or never
Generate keys at Integrations > API Keys in the dashboard.
Session Authentication (Web App)
The web application uses magic-link email authentication with httponly session cookies. No passwords are stored or transmitted.
Tier Requirements
| Feature | Free | Standard | Professional | API | Enterprise |
|---|---|---|---|---|---|
| API key generation | - | - | Yes | Yes | Yes |
| Requests per minute | 10 | 60 | 300 | 1000 | Custom |
| CVE searches per day | 50 | 500 | Unlimited | Unlimited | Unlimited |
| Webhook delivery | - | Yes | Yes | Yes | Yes |
| SAGE full analysis | - | - | Yes | Yes | Yes |
Security Notes
- All API traffic is encrypted via TLS 1.2+ through Cloudflare
- API keys are never logged in plain text
- Include your key in headers only - never in query strings or URLs
- Rotate compromised keys immediately at Integrations > API Keys > Revoke