scan for scanning and analysis endpoints, and admin for management and configuration endpoints. You pass the key in the Authorization header of every request.
Dev mode
If the
IW_API_KEY environment variable is not set, authentication is disabled entirely. This is convenient for local development, but you must enable auth before deploying to production.Generating keys
Run the setup command to generate both a scan key and an admin key:.env.local in your working directory. Source the file to load them into your environment:
| Key type | Prefix | Example |
|---|---|---|
| Scan | iwk_scan_ | iwk_scan_a1b2c3d4e5f6... |
| Admin | iwk_admin_ | iwk_admin_a1b2c3d4e5f6... |
Passing the key
Include your API key in theAuthorization: Bearer header on every request:
Key roles
Each key type grants access to a specific set of endpoints:| Key type | Prefix | Can access |
|---|---|---|
| Scan | iwk_scan_ | /v1/scan/*, /v1/analyze/*, /v1/health/*, /v1/signatures (read-only), /v1/sessions |
| Admin | iwk_admin_ | All endpoints, including /v1/admin/*, /v1/auth/*, /v1/config, and all scan endpoints |
Auth endpoints
POST /v1/auth/login
Log in with your admin key. On success, InferenceWall sets anhttpOnly session cookie that you can use for subsequent requests.
Request body:
Your admin API key (
iwk_admin_ prefix).POST /v1/auth/logout
Clear the current session cookie.GET /v1/auth/check
Check whether the current session cookie is valid.Error responses
When a request is made without a valid key or session, the API returns401 Unauthorized:
Security best practices
- Enable TLS in production by setting
IW_TLS=auto. This uses automatic certificate management via ACME. - Rotate keys regularly and revoke any that are no longer in use.
- Scope your application’s key to the minimum required role — use
iwk_scan_keys in application code and reserveiwk_admin_keys for management operations.