Authentication

The anonymous tier requires no API key. You authenticate the scan request with a Cloudflare Turnstile token from the browser flow; everything else is open per the rate limit. Pro/Team/Enterprise tiers are coming soon with proper API keys.

Anonymous tier (v0)

Two endpoints are public and unauthenticated:

GET /scan/:id — read any scan result (result pages are public anyway)
GET /skill/:name — read the latest scan for a skill by name
GET /health — liveness check

POST /scan is gated by Cloudflare Turnstile + an IP-based rate limit (10 scans / 24h). The Turnstile token comes from the browser challenge widget; from a non-browser client you can't obtain one, which is intentional — the API isn't designed for unauthenticated scripted submission.

For local development Turnstile is wired to Cloudflare's always-pass dev keys (1x00000000000000000000AA) so any non-empty token validates. Prod swaps these for real keys.

Pro / Team / Enterprise

Soon, paid tiers ship with API keys for programmatic access — bearer tokens passed via Authorization: Bearer sk_live_…. Pro gets a single user key; Team gets org-scoped keys with role-based access; Enterprise adds SSO/SCIM (planned) and BYOK signing keys.

For the up-to-date endpoint list, see POST /scan, GET /scan/:id, rate limits, and errors.