Authentication & API Keys
Session authentication
SecureCheap uses short-lived JWTs (15-minute access tokens + 7-day refresh tokens).
| Token | TTL | Storage |
|---|---|---|
| Access token | 15 minutes | localStorage + Authorization header |
| Refresh token | 7 days | HTTP-only cookie (sc_refresh_token) |
When an API call returns 401, the SDK automatically uses the refresh token to obtain a new access token. You don't need to handle this manually.
SSO / OAuth
SecureCheap supports single sign-on via:
- Google —
accounts.google.com - GitHub —
github.com/login/oauth
SSO logins still issue the same JWT pair. No special configuration needed.
API keys
Use API keys for server-to-server integrations, CI pipelines, and scripts.
Creating an API key
- Go to Settings → API Keys
- Click + New API Key
- Give it a name and select the scopes you need:
| Scope | Permissions |
|---|---|
monitors:read | List and get monitors |
monitors:write | Create, update, delete monitors |
scans:read | List and get scan results |
scans:write | Trigger new scans |
resources:read | List discovered resources |
integrations:read | List integrations |
alerts:read | List alerts and events |
reports:read | Download reports |
- Copy the key immediately — it's only shown once.
Using an API key
curl https://api.securecheap.com/api/v1/monitors \
-H "Authorization: Bearer sc_live_YOUR_API_KEY"⚠️
API keys have the prefix sc_live_ (production) or sc_test_ (sandbox).
Never commit API keys to version control. Use environment variables or a secrets manager.
Rotating a key
Go to Settings → API Keys → click the key → Rotate. The old key is invalidated immediately.