Platform API Keys

Audience: Phoenix Security users (Registered, Pro, Enterprise) — Last updated: 2026-05-18

This guide explains how to generate, use, and manage your Phoenix Security platform API keys directly from your account dashboard — without needing admin intervention.


1. What is a Platform API Key?

A platform API key authenticates your applications, scripts, and CI pipelines when they call Phoenix Security APIs. There are four categories, each for a different purpose — and a different key prefix so they can be rate-limited and revoked independently:

CategoryWhat it's forHeader value starts with
Vulnerability FetchCVE lookups, search, batch enrichment over REST and GraphQLphx_api_basic_, phx_api_power_, phx_api_int_, phx_api_unl_
MCP ClientConnect Claude / Continue / Cursor / any MCP-capable client to Phoenix as a data sourcephx_mcp_
Malware Firewallphoenix-firewall CLI, agent, GitHub Action, and CI gates that retrieve rules and block malicious packagesphx_fw_
Webhook IngressInbound GitHub PR diff, GitLab MR, Jenkins / Azure DevOps callbacks into /api/v1/firewall/webhook/scanphx_whk_
Mixing categories returns 403 scope not permitted. This is intentional: a leaked CI webhook key cannot drain your interactive-fetch quota, and a leaked Fetch key cannot block packages in production.
Not on this page: LLM provider keys (Gemini / OpenAI) — those are managed under LLM Keys. PAI / Internal / Vertex Gemini Validation are administrator-only and never appear in user accounts.

2. Generating a Key

  1. Sign in to https://phxintel.security (or https://phxintel.appsecphoenix.io for pre-prod).
  2. Click your avatar → DashboardMy Account tab.
  3. Scroll to Platform API Keys.
  4. Pick a category card: Vulnerability Fetch, MCP Client, Malware Firewall, or Webhook Ingress.
    Cards your tier doesn't include are disabled with a tooltip explaining what tier unlocks them.
  5. Enter a Name (e.g. prod-scanner, gha-firewall, github-pr-webhook), pick an Expires value (30–365 days), click Generate Key.
  6. Copy the key immediately — the full secret is shown exactly once. Phoenix only stores a hash; if you lose the secret you must revoke and re-issue.
Tier limits the number of active keys you can hold. Revoke an unused key first if you hit the cap.

3. Using a Key

All keys are sent in the same header on every request:

X-API-Key: phx_api_basic_…

Authorization: ApiKey … and Authorization: Bearer phx_… are also accepted.

3.1 Vulnerability Fetch — REST

curl -H "X-API-Key: phx_api_basic_xxxx…" \
     https://phxintel.security/api/v1/cves/CVE-2024-3094

3.2 Vulnerability Fetch — GraphQL

curl -X POST https://phxintel.security/api/v1/graphql \
     -H "X-API-Key: phx_api_power_xxxx…" \
     -H "Content-Type: application/json" \
     -d '{"query":"{ cve(id: \"CVE-2024-3094\") { id ps_hp { score } } }"}'

3.3 MCP Client — Claude Desktop

~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "phoenix-security": {
      "url": "https://phxintel.security/api/v1/mcp",
      "headers": { "X-API-Key": "phx_mcp_xxxx…" }
    }
  }
}

3.4 Malware Firewall — CLI

export PHOENIX_FW_API_KEY=phx_fw_xxxx…
phoenix-firewall scan ./package-lock.json

3.5 Malware Firewall — GitHub Action

- uses: Security-Phoenix-demo/phoenix-firewall-action@v1
  with:
    api-key: ${{ secrets.PHOENIX_FW_API_KEY }}

3.6 Malware Firewall — retrieve rules and block from CLI

# List the rules attached to your account (what blocks what):
curl -H "X-API-Key: $PHOENIX_API_KEY" \
     https://phxintel.security/api/v1/firewall/rules

# Evaluate a package:
curl -X POST https://phxintel.security/api/v1/firewall/evaluate \
     -H "X-API-Key: $PHOENIX_API_KEY" \
     -H "Content-Type: application/json" \
     -d '{"packages":[{"ecosystem":"npm","name":"lodash","version":"4.17.21"}]}'

3.7 Webhook Ingress — GitHub PR / GitLab MR

curl -X POST https://phxintel.security/api/v1/firewall/webhook/scan \
     -H "X-API-Key: phx_whk_xxxx…" \
     -H "Content-Type: application/json" \
     -d '{
       "source": "github-actions",
       "event_type": "pull_request",
       "repository": "acme/web",
       "ref": "refs/pull/42/head",
       "lockfiles": [{"path":"package-lock.json","content":"..."}],
       "callback_url": "https://ci.acme.com/hooks/phoenix"
     }'

4. Tier Matrix

CapabilityRegisteredPro (Premium)Enterprise (Premium Plus)
Vulnerability Fetch (REST/GraphQL)BasicPower / IntegrationUnlimited
MCP ClientNoYesYes
Malware FirewallYesYesYes
Webhook IngressNoYesYes
Max active keys25Unlimited
Rate limit / hour (fetch)1005,00050,000
Rate limit / hour (MCP)5005,000
Rate limit / hour (firewall)1,0001,0001,000
Rate limit / hour (webhook)5,0005,000

Free-tier users do not get platform API keys. Upgrade to Registered for self-service.


5. Lifecycle

ActionWhereNotes
CreateMy Account → Platform API Keys → GenerateSecret shown once
ListSame panel, "Your Keys" tableShows prefix, scope, last-used, expiry
RevokeRevoke button in rowTakes effect within seconds across all edges
RotateRevoke + create newNo in-place rotation — encourages clean cut-over
Auto-expiryAt the Expires date you pickedPick short TTLs and re-issue on a cron for production

6. Security Best Practices


7. Troubleshooting

SymptomLikely causeFix
401 Invalid or expired API keyKey revoked, expired, or typoCheck the key prefix; re-issue from the dashboard
403 scope not permittedUsed a Fetch key against MCP or Firewall endpoint (or vice versa)Generate a key of the correct category
429 Rate limit exceededBurst exceeded minute/hour/day capCheck X-RateLimit-Remaining header; back off; or upgrade tier
Generation button disabledTier doesn't grant that category, or max-active-keys reachedRevoke unused keys, or upgrade tier
Key works locally but not in CISecret quoted/escaped incorrectly in CI storeRe-paste with no leading/trailing whitespace

8. FAQ

Can I share a key across my team?
No — each key is tied to the user who created it for audit purposes. Use a service account if you need shared credentials.

Is there a separate key for the Phoenix Firewall agent (phx_fwagent_*)?
Yes, but that key is provisioned via phoenix-firewall enroll with a one-time bootstrap token issued by your global admin — not from this dashboard. Use a phx_fw_* Malware Firewall key for CLI / CI / agent-bridge flows.

What's the difference between phx_api_basic_ and phx_api_unl_?
Just the rate-limit tier. Endpoints and response payloads are identical (modulo tier-based field redaction enforced server-side by data_shield).

Can I get a key without expiry?
No. All self-service keys must expire (max 365 days). This is a security guard, not a billing limit.


9. Compatibility with phoenix-firewall CLI

The same phx_fw_* key works across all official Phoenix Firewall clients. Both repos read the key from the standard environment variable / config slot:

9.1 PUB-firewall (Go binary)

# Option A — env var (recommended for CI):
export PHOENIX_API_KEY=phx_fw_xxxxxxxx...
phoenix-firewall scan ./package-lock.json

# Option B — config.toml (recommended for laptops):
# ~/.config/phoenix-firewall/config.toml
api_key  = "phx_fw_xxxxxxxx..."
api_url  = "https://phxintel.security"
SubcommandEndpointWorks with phx_fw_*
scanPOST /api/v1/firewall/evaluateYes
doctorhealth probeYes
agent-bridgePOST /api/v1/firewall/evaluateYes
enrollPOST /api/v1/firewall/agent/enrollYes (bootstrap step only; subsequent calls use phx_fwagent_*)
system (endpoint mode)/api/v1/firewall/agent/*No — requires device-enrolled phx_fwagent_* key

9.2 PUB-firewall-agents-hub (NPM packages)

export PHOENIX_API_KEY=phx_fw_xxxxxxxx...

npx @phoenix-security/cli scan ./package.json
npx @phoenix-security/cli install-hooks
npx @phoenix-security/mcp-firewall

9.3 GitHub Action

- uses: Security-Phoenix-demo/phoenix-firewall-action@v1
  with:
    api-key: ${{ secrets.PHOENIX_API_KEY }}

10. Related Documentation