Liberty91

Authentication and API keys.

Last updated 8 Jul 20263 min read

Every request to the Liberty91 API carries an API key. Keys are created by an account Owner or Admin in the platform UI (Billing Account profile, then API Keys), and each key belongs to exactly one billing account.

Sending your key

Two header forms are accepted, so you can use whichever your tooling prefers:

# Option 1: dedicated header
curl "https://api.liberty91.com/api/v1/iocs/" \
  -H "X-API-Key: l91_live_xxxxxxxxxxxxxxxxxxxxxxxx"
 
# Option 2: standard bearer token
curl "https://api.liberty91.com/api/v1/iocs/" \
  -H "Authorization: Bearer l91_live_xxxxxxxxxxxxxxxxxxxxxxxx"

Never put the key in a query parameter, and never ship it to a browser. This is a server-to-server API by design.

Key types

PrefixUse
l91_live_Production keys
l91_test_Non-production keys for development and staging

Key lifecycle

A few properties are worth knowing before you build:

  • The full secret is shown once, at creation. Afterwards the platform only stores and displays a prefix and the last four characters.
  • Lost keys are rotated, not recovered. Create a new one, switch your integration, then revoke the old one.
  • Revocation takes effect within about 30 seconds.
Tip

Treat API keys like any other production credential: keep them in a secrets manager, give each integration its own key, and grant only the scopes that integration needs. Separate keys also give you clean per-integration rate limit and credit visibility.

Scopes

A key carries a set of scopes that controls what it can call. An empty scope list grants all read scopes. Write scopes must always be granted explicitly.

ScopeGrants
iocs.readIOC lookup, list, and export
events.readEvents list and detail
threats.readThreat library (actors, malware, vulnerabilities, clusters)
reports.readReports list, detail, and download
alerts.readAlert rules and matches
orgs.readCustomer organizations, assets, suppliers, documents
events.writeIngest events
reports.generateGenerate reports
orgs.writeUpload documents, confirm entities, trigger description updates

Calling an endpoint without the required scope returns 403 Forbidden with a message naming the missing scope.

The tenant boundary

Every key is bound to a single billing account, and every response is limited to that account's data. Objects belonging to another tenant simply do not exist as far as your key is concerned: requesting them returns 404 Not Found, the same as any other missing object. This is a hard boundary enforced on every endpoint, not a filter you opt into.

Frequently asked questions

Where do I create a Liberty91 API key?

An account Owner or Admin creates keys in the platform UI under the Billing Account profile, in the API Keys section. The full secret is shown once at creation, so store it in your secrets manager right away.

What happens if I lose an API key?

Keys cannot be recovered, only rotated. Create a new key, move your integration over, and revoke the old one. Revocation takes effect within about 30 seconds.

What does an API key with no scopes do?

A key with an empty scope list gets all read scopes. Write scopes always have to be granted explicitly, so a default key can read your intelligence but never change anything.

Was this page helpful?