Session-based authentication (browser)
When you log in to the web dashboard, Better Auth sets a secure HTTP-only session cookie. All subsequent requests from the browser automatically include this cookie. This method is not suitable for programmatic API access from outside the browser.API key authentication
For scripts, CI pipelines, and external tooling, use an API key.Create an API key
- Log in to the web dashboard.
- Navigate to Settings → API Keys.
- Click Generate new key and copy the value — it is shown only once.
Use the API key
Pass the key in theAuthorization header:
x-api-key header:
API keys are verified against the Better Auth API key store. Each key is tied to the user who created it and inherits that user’s permissions.
Which endpoints require authentication
| Endpoint | Auth required |
|---|---|
GET /api/health | No — public, used for load balancer checks |
POST /api/webhook/gitlab | No session required — validated by webhook token |
POST /api/webhook/github | No session required — validated by HMAC signature |
All other /api/* endpoints | Yes — session cookie or API key |
Permissions
Some write operations additionally require specific permissions beyond being authenticated:POST /api/reviews/trigger-manual-review— requiresreview:createPOST /api/projects/sync/platform— requiresproject:createPATCH /api/projects/:projectId— requiresproject:updatePOST /api/platform-configs— requiresconfig:createPATCH /api/platform-configs/:id— requiresconfig:updateDELETE /api/platform-configs/:id— requiresconfig:deleteGET /api/platform-configs/:id/access-token— requires admin role