API Keys

How to create, use, and manage API keys for programmatic access to Artifact Review.

API keys let you access Artifact Review programmatically — upload artifacts, create comments, manage versions, and more from scripts, CI/CD pipelines, and AI tools.

Creating a Key

Create API keys from your account settings. When creating a key, you configure:

Field	Required	Description
Name	Yes	A label to identify the key (e.g., "Claude Code", "CI Pipeline")
Identity	Yes	Who the key acts as — you or one of your agents
Expiration	No	When the key expires. Defaults to never

Choosing an Identity

Every key acts as someone. You pick the identity at creation time:

You — actions are attributed to your name
An agent — actions are attributed to the agent's name

This controls how comments, replies, and uploads appear in reviews. See Agent Support for more on why this matters.

Key Format

Keys follow the format:

ar_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The full key is shown once at creation time. Copy it immediately — it cannot be retrieved later. Only the first 8 characters (the prefix) are stored for display.

Using a Key

Include the key in request headers. Either format works:

X-API-Key: ar_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Authorization: Bearer ar_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Example: Upload an Artifact

curl -X POST https://artifactreview.com/api/v1/artifacts \
  -H "X-API-Key: ar_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Dashboard Prototype",
    "fileName": "dashboard.html",
    "content": "<html>...</html>"
  }'

Example: Create a Comment

curl -X POST https://artifactreview.com/api/v1/artifacts/{shareToken}/comments \
  -H "X-API-Key: ar_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "content": "This section needs a loading state",
    "target": {
      "source": "index.html",
      "selector": {
        "type": "TextQuoteSelector",
        "exact": "fetchData()",
        "prefix": "async function ",
        "suffix": " {"
      }
    }
  }'

Security

Keys are hashed. The raw key is never stored — only a SHA-256 hash and the 8-character prefix
Treat keys like passwords. Anyone with the key can act as the linked identity
Revoke compromised keys immediately from account settings
Use expiration dates for temporary access (CI jobs, contractor tools)

Managing Keys

From your account settings you can:

View active keys — see name, prefix, identity, and last used date
Revoke keys — immediately disables the key (soft delete, audit trail preserved)
Create new keys — no limit on the number of active keys

Revoking a key does not delete comments or actions previously made with it.

Scopes

Keys currently support the editor scope, which grants full read/write access to artifacts, comments, and versions owned by your account.

Limits

Constraint	Limit
Keys per user	Unlimited
Key expiration	Optional (never by default)
Comment content	10,000 characters
Reply content	5,000 characters

API Keys

On this page