Authentication & API Keys

Secure your integration with Euriqa using API keys for CI/CD pipelines or session-based authentication for the dashboard.

Overview

Euriqa supports two authentication methods. Both enforce the same authorization rules, including row-level security and role-based access control.

Method	Header	Use Case
API Key	`X-API-Key`	CI/CD pipelines, scripts, programmatic access
Session Cookie	`Cookie`	Browser-based dashboard access

API Keys

API keys are the recommended way to authenticate CI/CD pipelines and programmatic access to the Euriqa platform. Each key is scoped to a specific project for isolation.

Key Format

API keys must be a minimum of 16 characters. Euriqa validates key format on every request and rejects placeholder values such as your-api-key or test-key.

Key Scoping

Every API key is scoped to a single project. This means a key can only access data belonging to the project it was generated for. Keys cannot access data from other projects or teams.

Creating API Keys

Via the Dashboard: Navigate to your project settings at app.euriqa.dev and click "Generate API Key". Give each key a descriptive name (e.g., "GitHub Actions", "GitLab CI", "Local Dev").

Via the API:

bash

curl -X POST https://app.euriqa.dev/api/api-keys \
  -H "Content-Type: application/json" \
  -H "Cookie: <session-cookie>" \
  -d '{
    "name": "GitHub Actions",
    "projectId": "your-project-id",
    "expiresAt": "2026-12-31T00:00:00Z"
  }'

Managing Keys

API keys can be activated or deactivated without deleting them. This is useful for temporarily disabling access without losing the key configuration. You can also set optional expiration dates for added security.

Key Properties

namestringRequired
A descriptive name for the key (e.g., "GitHub Actions").
projectIdstringRequired
The project this key is scoped to.
expiresAtstring
Optional ISO 8601 expiration date. Keys without an expiration date do not expire.
isActiveboolean
Whether the key is currently active. Defaults to true.
lastUsedAtstring
Automatically updated timestamp showing when the key was last used.

Using API Keys

Include your API key in the X-API-Key header with every request:

bash

curl https://app.euriqa.dev/api/runs \
  -H "X-API-Key: your-api-key"

For the Playwright reporter, set the key as an environment variable:

bash

export EURIQA_API_KEY=your-api-key
export EURIQA_PROJECT_ID=your-project-id
npx playwright test

Key Validation

The reporter SDK validates API keys before making any network calls. Validation checks include:

Minimum 16 characters
Rejects known placeholder values
Verifies the key is active and not expired
Confirms the key is scoped to the provided project ID

User Authentication

User authentication is handled via Supabase Auth with email/password credentials. Sessions are managed automatically in the browser.

Sign Up

Create an account at app.euriqa.dev/signup. Email verification is mandatory before you can access the platform. After verifying your email, the onboarding wizard will guide you through creating your first team and project.

bash

POST https://app.euriqa.dev/auth/signup
Content-Type: application/json

{
  "email": "you@company.com",
  "password": "your-secure-password"
}

Login

bash

POST https://app.euriqa.dev/auth/login
Content-Type: application/json

{
  "email": "you@company.com",
  "password": "your-secure-password"
}

Forgot Password

Request a password reset email. A secure reset link will be sent to the email address on file.

bash

POST https://app.euriqa.dev/auth/forgot-password
Content-Type: application/json

{
  "email": "you@company.com"
}

Team Roles & Permissions

Every team member is assigned a role that determines what actions they can perform. Roles are enforced at both the API and database levels.

Role	Capabilities
Owner	Full control over team, members, and all projects. Can delete the team.
Admin	Manage team members, create projects, manage project settings.
Member	Create projects, view all team data, invite users.
Viewer	Read-only access to projects and test results.

Only Owners and Admins can change member roles or remove members from a team.

Row-Level Security

All data access in Euriqa is controlled at the database level using Supabase Row-Level Security (RLS). This means authorization is enforced regardless of how the data is accessed — through the dashboard, API, or direct database queries.

User-scoped: Users can only access their own account data.
Team-scoped: Users can only access teams they belong to.
Project-scoped: Test data is isolated per project.
Role-based: Actions are gated by team role (Owner, Admin, Member, Viewer).

Both API key authentication and session-based authentication enforce the same RLS policies. There is no way to bypass authorization regardless of authentication method.

Security Best Practices

Use environment variables — Never hard-code API keys in your source code or configuration files. Store them as CI/CD secrets or environment variables.
Rotate keys regularly — Create new keys and deactivate old ones on a regular schedule. Euriqa lets you have multiple active keys per project to enable zero-downtime rotation.
Set expiration dates — Use the optional expiration field when creating keys to ensure they cannot be used indefinitely.
Use descriptive key names— Name keys after their purpose (e.g., "GitHub Actions Production") so you can quickly identify and revoke compromised keys.
Use the principle of least privilege — Assign the Viewer role to team members who only need read access to test results.
Monitor key usage— Regularly review the "last used" timestamps on your API keys to identify unused or potentially compromised keys.
HTTPS only — All API communication uses HTTPS. Never send API keys over unencrypted connections. The only exception is localhost for local development.

Authentication & API Keys

Secure your integration with Euriqa using API keys for CI/CD pipelines or session-based authentication for the dashboard.

Overview

Euriqa supports two authentication methods. Both enforce the same authorization rules, including row-level security and role-based access control.

Method	Header	Use Case
API Key	`X-API-Key`	CI/CD pipelines, scripts, programmatic access
Session Cookie	`Cookie`	Browser-based dashboard access

API Keys

API keys are the recommended way to authenticate CI/CD pipelines and programmatic access to the Euriqa platform. Each key is scoped to a specific project for isolation.

Key Format

API keys must be a minimum of 16 characters. Euriqa validates key format on every request and rejects placeholder values such as your-api-key or test-key.

Key Scoping

Every API key is scoped to a single project. This means a key can only access data belonging to the project it was generated for. Keys cannot access data from other projects or teams.

Creating API Keys

Via the Dashboard: Navigate to your project settings at app.euriqa.dev and click "Generate API Key". Give each key a descriptive name (e.g., "GitHub Actions", "GitLab CI", "Local Dev").

Via the API:

bash

curl -X POST https://app.euriqa.dev/api/api-keys \
  -H "Content-Type: application/json" \
  -H "Cookie: <session-cookie>" \
  -d '{
    "name": "GitHub Actions",
    "projectId": "your-project-id",
    "expiresAt": "2026-12-31T00:00:00Z"
  }'

Managing Keys

Key Properties

namestringRequired
A descriptive name for the key (e.g., "GitHub Actions").
projectIdstringRequired
The project this key is scoped to.
expiresAtstring
Optional ISO 8601 expiration date. Keys without an expiration date do not expire.
isActiveboolean
Whether the key is currently active. Defaults to true.
lastUsedAtstring
Automatically updated timestamp showing when the key was last used.

Using API Keys

Include your API key in the X-API-Key header with every request:

bash

curl https://app.euriqa.dev/api/runs \
  -H "X-API-Key: your-api-key"

For the Playwright reporter, set the key as an environment variable:

bash

export EURIQA_API_KEY=your-api-key
export EURIQA_PROJECT_ID=your-project-id
npx playwright test

Key Validation

The reporter SDK validates API keys before making any network calls. Validation checks include:

Minimum 16 characters
Rejects known placeholder values
Verifies the key is active and not expired
Confirms the key is scoped to the provided project ID

User Authentication

User authentication is handled via Supabase Auth with email/password credentials. Sessions are managed automatically in the browser.

Sign Up

bash

POST https://app.euriqa.dev/auth/signup
Content-Type: application/json

{
  "email": "you@company.com",
  "password": "your-secure-password"
}

Login

bash

POST https://app.euriqa.dev/auth/login
Content-Type: application/json

{
  "email": "you@company.com",
  "password": "your-secure-password"
}

Forgot Password

Request a password reset email. A secure reset link will be sent to the email address on file.

bash

POST https://app.euriqa.dev/auth/forgot-password
Content-Type: application/json

{
  "email": "you@company.com"
}

Team Roles & Permissions

Every team member is assigned a role that determines what actions they can perform. Roles are enforced at both the API and database levels.

Role	Capabilities
Owner	Full control over team, members, and all projects. Can delete the team.
Admin	Manage team members, create projects, manage project settings.
Member	Create projects, view all team data, invite users.
Viewer	Read-only access to projects and test results.

Only Owners and Admins can change member roles or remove members from a team.

Row-Level Security

User-scoped: Users can only access their own account data.
Team-scoped: Users can only access teams they belong to.
Project-scoped: Test data is isolated per project.
Role-based: Actions are gated by team role (Owner, Admin, Member, Viewer).

Both API key authentication and session-based authentication enforce the same RLS policies. There is no way to bypass authorization regardless of authentication method.

Security Best Practices

Use environment variables — Never hard-code API keys in your source code or configuration files. Store them as CI/CD secrets or environment variables.
Rotate keys regularly — Create new keys and deactivate old ones on a regular schedule. Euriqa lets you have multiple active keys per project to enable zero-downtime rotation.
Set expiration dates — Use the optional expiration field when creating keys to ensure they cannot be used indefinitely.
Use descriptive key names— Name keys after their purpose (e.g., "GitHub Actions Production") so you can quickly identify and revoke compromised keys.
Use the principle of least privilege — Assign the Viewer role to team members who only need read access to test results.
Monitor key usage— Regularly review the "last used" timestamps on your API keys to identify unused or potentially compromised keys.
HTTPS only — All API communication uses HTTPS. Never send API keys over unencrypted connections. The only exception is localhost for local development.