OverviewQuickstartResponse FieldsAPI ReferenceSDK ReferenceAccount & PortalAI Agent IntegrationCI/CD IntegrationProductsSupply chainFAQ
account & portal

Account & Portal Guide

Learn how to manage API keys, configure account settings, understand billing tiers, and use the developer portal.

Overview

The Attestd portal provides a centralized place to:

  • Sign in via magic email links (no password)
  • Create and manage multiple API keys
  • Rotate keys for security hygiene
  • Scope keys to specific API routes
  • Monitor API usage and quota status
  • Manage billing and upgrade plans
  • Configure account settings (notifications, timezone)

Signing in

Attestd uses passwordless authentication. Visit the portal login page and enter your email address. You will receive a magic link to sign in.

No passwords to remember or reset. Your session is stored in a secure browser cookie.

API Keys

API keys are long, random strings prefixed with atst_. For example:

atst_rXEXpza5bJCiOUciMh3l629_ScjhfTuou6wvmtXCPBY

When you create a key, the full plaintext is shown once. Copy it immediately and store it securely (e.g., in your .env or secrets manager). On future visits to the portal, only the key prefix is displayed for reference.

Creating multiple keys

You can create multiple API keys. Visit the /portal/keys page to:

  • View all active (non-revoked) keys
  • Create a new key with an optional name and route scopes
  • See usage statistics per key
  • Rotate or revoke individual keys

Multiple keys are useful for team workflows: use one key in dev, another in staging, and a third in production. Each key can have different scopes and usage quotas.

Key rotation

Rotate a key periodically for security hygiene, or immediately if you suspect the key was exposed. To rotate:

  1. Visit /portal/keys
  2. Click the rotate button next to the key
  3. A new key will be issued and displayed; the old key is revoked atomically
  4. Copy the new plaintext and update your applications

Rotation is instantaneous. The old key stops accepting requests immediately (HTTP 401).

Route scoping

Restrict a key to specific API endpoints using route scopes. Scopes limit what actions an API key can perform, reducing blast radius if the key is compromised.

For example, if you only need to query /v1/check, create a scoped key with allowed routes set to v1.check. That key cannot access other routes or future endpoints.

Scope IDs: Route scopes match API URL paths with dots. For example:

  • /v1/check - scope ID: v1.check

Recommendation for CI/CD: Create a scoped key restricted to v1.check only. If a CI/CD secret leaks, the key is limited to read-only dependency checks.

If the scopes list is empty, the key has full access to all endpoints.

Usage and quotas

The dashboard shows your API usage this billing period compared to your included quota:

  • Free tier: 1,000 calls / month. Hard cap; further calls return HTTP 429.
  • Starter tier: 25,000 calls / month. Overage billed at $0.002 / call.
  • Pro tier: 200,000 calls / month. Overage billed at $0.0008 / call.

When you reach 80% of your quota, an email reminder is sent.

If you have multiple keys, usage is aggregated across all keys on your account.

Billing tiers and upgrades

Three tiers are available. All tiers include CVE coverage (20 products) and supply chain monitoring (26 PyPI packages):

TierPriceCalls / monthOverage
Free$01,000Hard cap (HTTP 429)
Starter$1925,000$0.002 / call
Pro$79200,000$0.0008 / call

To upgrade, click the upgrade button on your dashboard. You will be redirected to Stripe Checkout. Tier changes take effect immediately.

Manage your billing portal (payment methods, invoices) via Stripe.

Account settings

Visit /portal/settings to configure:

  • Email notifications: Toggle to enable/disable usage and billing emails
  • Billing email: Set a specific contact email for invoices and billing updates
  • Timezone: Select your timezone for billing period calculations

Best practices

  • Rotate keys regularly. Set a reminder to rotate keys every 3-6 months, or more frequently if they are widely shared.
  • Use scoped keys for CI/CD. Create a key restricted to the endpoints your pipelines actually need (typically just v1.check).
  • Separate keys by environment. Use one key in dev, another in staging, and another in production. This limits fallout if one key is exposed.
  • Monitor usage. Check your quota weekly to ensure you are not approaching limits. Plan upgrades in advance if you see trends.
  • Rotate immediately on compromise. If you suspect a key has been leaked, rotate it right away. The old key will be revoked within seconds.

For more on API authentication and rate limits, see the API Reference. For supply chain integration examples, see Supply Chain Integrity.