The BastionZero API uses API keys or authenticated users to authenticate all requests. In addition, all API requests are subject to a policy check before they are permitted to execute. At any time one can see the active API keys in the API dashboard, found here.
Once an API key is created, it can not be retrieved via BastionZero. Please remember to secure your API keys in a safe place! Avoid storing keys in files, code, or anywhere public.
BastionZero supports passing your API key using the X-API-KEY header for any application, such as Postman, curl, or your own business logic.
There is a special type of API key in the BastionZero platform known as the registration key. A registration key can only be used to register targets. Any attempt to use a registration key for non-registration APIs will fail because the policy check will return Deny.