Authentication

The Sigilix API is in private beta. This page documents the authentication model; endpoints will land in subsequent releases.

All API requests use a personal access token (PAT) in the Authorization header:

curl https://api.sigilix.ai/v1/reviews \
  -H "Authorization: Bearer sgx_pat_xxxxxxxxxxxx"

PATs are minted on the Sigilix dashboard (coming soon). They’re scoped to a single Sigilix installation — one PAT per GitHub org.

Scopes

PATs have four scopes:

Scope	Endpoints
`reviews:read`	List and fetch past reviews
`findings:read`	Fetch individual findings + suggested patches
`webhooks:write`	Configure outbound webhooks for `review.completed` events
`config:write`	Modify `sigilix.json` programmatically (CI integration)

Choose the minimum scopes you need. The dashboard shows which endpoints each scope unlocks.

Rate limits

API requests are rate-limited separately from review limits. During the private beta, API limits are set per account rather than by a public tier. Every response carries the current window state in headers:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 982
X-RateLimit-Reset: 2026-05-05T04:00:00Z

When you hit the limit, the API returns 429 with a Retry-After header.

OAuth2 (coming)

For server-to-server integrations (e.g., a third-party platform integrating with Sigilix on behalf of customer orgs), an OAuth2 flow is on the roadmap.

Endpoints

The reviews and findings endpoints (private beta).

Webhooks

Outbound webhook events Sigilix can fire on your endpoints.

Endpoints

​Authentication

​Scopes

​Rate limits

​OAuth2 (coming)

​Read next

Endpoints

Webhooks

Authentication

Scopes

Rate limits

OAuth2 (coming)

Read next