Authentication
The Pixel House supports two authentication methods: API keys for programmatic access and session cookies for the dashboard.
API keys
API keys are the recommended way to authenticate REST API requests. Create keys in Settings.
Usage
Include the key in the Authorization header:
Authorization: Bearer ph_live_your_api_key_here
Key prefixes
ph_live_Production keys — use in deployed applicationsph_test_Test keys — use in development and CIScopes
readRead-only access to screenshots, baselines, comparisonsread_writeFull access to capture, compare, and manage resourcesadminAll permissions including API key managementSecurity
- Keys are hashed with SHA-256 before storage — we never store plaintext keys
- Keys are shown once at creation — copy and store securely
- Keys can be revoked instantly from the dashboard
- Optional expiry dates can be set at creation time
Session authentication
The dashboard uses session cookies via Better Auth. Sessions are created on login and stored as HTTP-only secure cookies. Session-based auth is used automatically when accessing the dashboard — no configuration needed.
Supported providers
- Email and password
- GitHub OAuth
Rate limits
Rate limits are applied per API key or per IP for unauthenticated requests.
| Plan | Rate |
|---|---|
| Free | 10 requests/second |
| Solo / Team / Agency | 50 requests/second |
| Enterprise | 100 requests/second |
Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After) are included in all responses.