Public API
Enable and secure the Public API for CI/CD and automation—control tokens, rate limits, allowed roles, CORS, and best practices.
Overview
The Public API enables secure programmatic access to Total Shift Left for CI/CD pipelines, automation tools, and integrations. Use it to trigger runs, fetch results, and integrate quality gates into delivery workflows.
Enable Public API
Enable the Public API only when integration is required to reduce the attack surface.
Authentication and token policies
- Define how tokens are created and how long they remain valid (shorter expiry improves security).
- Restrict token generation and usage to allowed roles only.
- Rotate tokens regularly and revoke unused tokens.
Related: Role permissions and Audit logs.
Rate limiting
Rate limiting protects your deployment from accidental overload and abuse. Set strict limits in production and loosen only when you have evidence that higher throughput is needed.
CORS (Cross-Origin Resource Sharing)
Avoid wildcard CORS in production. Prefer an allow-list of trusted domains.
Best practices
- Enable the API only when you need it.
- Keep rate limits conservative in production.
- Use least-privilege roles for tokens.
- Store tokens in your secret manager (never in source control).
Related articles
Related articles
- AI Settings · Product documentation
- Audit Logs · Product documentation
- Configuration · Product documentation
- Debug Logging · Product documentation
- Email Settings · Product documentation
- Email Templates · Product documentation
Next steps
- Getting started · Install + connect your spec
- Configuration fundamentals · Stabilize runs
- Initial configuration · Users, licensing, projects
- Release notes · Updates and fixes
Still stuck?
Tell us what you’re trying to accomplish and we’ll point you to the right setup—installation, auth, or CI/CD wiring.