Authentication & API tokens
How the web app authenticates with JWT, how programmatic clients use scoped API tokens, and how to wire each product up securely.
Two ways to authenticate
Rank uses two distinct credential types depending on who is talking to the platform:
- JWT — used by the web app at aleex-rank.ai. When you log in you receive a short-lived access token and a longer-lived refresh token; the refresh token transparently renews the access token. Accounts may enable two-factor authentication (TOTP), which adds a one-time code to the login step. JWTs travel in the
Authorization: Bearer <jwt>header. - API tokens — used by the CLI, the Python SDK, the REST API and CI/CD pipelines. They are long-lived credentials that look like
rk_live_...orrk_test_...and travel in theX-API-Keyheader.
JWTs are for interactive humans in a browser session; API tokens are for automation. Everything outside the web app authenticates with an API token. The two headers are not interchangeable: the Authorization: Bearer header only accepts a JWT, and X-API-Key only accepts an rk_ token.
API tokens
Live vs test
| Prefix | Environment | Use it for |
|---|---|---|
rk_live_... | Production | Real pentests and integrations |
rk_test_... | Sandbox | Local development and experimentation |
Every request authenticates by sending the token in the X-API-Key header:
X-API-Key: rk_live_xxxxxxxxxxxxxxxxCreate a token
-
Open the dashboard at aleex-rank.ai and go to Settings > API Tokens.
-
Choose whether the token is individual (counts against your personal tier) or a team token (counts against the team’s shared pool).
-
Optionally restrict the token’s scope (see below). Leave the scope empty for a full-access token that mirrors your own permissions.
-
Copy the token immediately. It is shown only once — store it in a secret manager or environment variable, never in source control.
The dashboard is the easiest route, but token management is also fully programmatic: you can list, create, scope and revoke tokens through the API and the SDK. See the Authentication & account API for the /auth/api-tokens endpoints and the SDK’s client.auth.api_tokens resource.
Scoped tokens
By default a token inherits all of your permissions. A scoped token is restricted to a subset, following the principle of least privilege. A scoped token can never have more permissions than the user who created it — only fewer.
You can restrict a token along two independent axes:
- Permissions — by individual
permission_idsor bytagsthat expand to a group of endpoints (for example, thepentesttag). Permission and tag selections are combined. - Teams — by
team_ids, limiting the token to specific team workspaces. A token associated with a team is also counted against that team’s token pool instead of your individual pool.
If a request falls outside the token’s scope, the API responds with 403 Forbidden and an explanatory message — either the endpoint is not in the token’s permission set, or the team is not in its team_ids.
{
"name": "CI/CD pipeline",
"tags": ["pentest"],
"permission_ids": [12, 13],
"team_ids": [4]
}Tier limitation
API token limits are set per tier, and the two token pools are independent:
| Tier | Individual API tokens |
|---|---|
| Casual | 0 (not available) |
| Pro | 3 |
| Ultra | Unlimited |
| Business (team) | 10 (shared pool) |
| Enterprise (team) | Unlimited |
The lowest tier, Casual, cannot create personal API tokens. A Casual user who belongs to a team can still create team tokens as long as the team’s pool has room. See Teams & tiers for how the pools work.
Authenticate each product
Store the token once with rank auth set. It is written to ~/.rank-cli/credentials and reused by every subsequent command.
rank auth set rk_live_xxxxxxxxxxxxxxxx
rank auth statusThe client reads the RANK_API_KEY environment variable automatically, or you can pass api_key= when you construct it.
import rank
# Reads RANK_API_KEY from the environment
client = rank.Rank()
# Or pass it explicitly
client = rank.Rank(api_key="rk_live_xxxxxxxxxxxxxxxx")Send the token in the X-API-Key header on every request to https://api.aleex-rank.ai/api/v2.
curl https://api.aleex-rank.ai/api/v2/pentests \
-H "X-API-Key: rk_live_xxxxxxxxxxxxxxxx"Security best practices
- Use environment variables or a secret manager. Never hard-code tokens or commit them to a repository. The CLI keeps them in
~/.rank-cli/credentials; the SDK readsRANK_API_KEY. - Scope to least privilege. For automation, create a scoped token limited to the exact permissions and teams the job needs rather than a full-access token.
- Separate environments. Use
rk_test_...for development andrk_live_...only where you really mean to act on production. - Rotate and revoke. Revoke unused or leaked tokens from Settings > API Tokens or via the API. Because tokens are long-lived, treat them like passwords.
- Prefer team tokens for shared work so the credential and its usage are owned by the team, not a single member.