Home
API Reference/Authentication

API Authentication

Exolar uses API keys to authenticate requests. API keys are scoped to your organization and can be managed from your dashboard settings.

Creating API Keys

  1. Go to Settings → API Keys
  2. Click "Create API Key"
  3. Enter a descriptive name (e.g., "GitHub Actions - Main Repo")
  4. Copy the key immediately — it won't be shown again
Important

API keys are only displayed once at creation time. If you lose your key, you'll need to create a new one and update your CI configuration.

Key Format

Exolar API keys are prefixed with exolar_ for easy identification:

exolar_abc123def456...

The prefix helps you identify Exolar keys in your environment variables and secrets.

Using API Keys

With the Playwright Reporter

Set the EXOLAR_API_KEY environment variable:

# In GitHub Actions
env:
  EXOLAR_API_KEY: ${{ secrets.EXOLAR_API_KEY }}

# Or in the reporter config
[exolar, { apiKey: process.env.EXOLAR_API_KEY }]

With the REST API

Include the key in the Authorization header:

curl -X POST https://exolar-qa.vercel.app/api/test-results \
  -H "Authorization: Bearer exolar_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{ ... }'

Security Best Practices

Never commit keys

Always use environment variables or secret managers. Never hardcode keys in your codebase.

Use descriptive names

Name keys by their purpose (e.g., "CI - Production", "CI - Staging") for easier management.

Rotate regularly

Periodically create new keys and revoke old ones, especially after team changes.

Revoke unused keys

Remove keys that are no longer in use to minimize your attack surface.

Organization Scoping

API keys are scoped to the organization that created them:

  • Data uploaded with a key belongs to that organization
  • Keys can only access data within their organization
  • Organization admins can manage keys for their organization

If you're seeing results in the wrong organization, check that you're using the correct API key.

Managing Keys

From the API Keys settings page, you can:

  • View — See all active keys and when they were last used
  • Create — Generate new keys with descriptive names
  • Revoke — Immediately disable a key (cannot be undone)

Next Steps

Configure Reporter

Use your API key with the Playwright reporter

API Endpoints

Full API reference for custom integrations