When does the Crawlux API ship?

The Crawlux API is planned for Q4 2026. Currently audits run via the Crawlux web dashboard with JSON output downloadable per audit. The API will allow programmatic audit triggering, status polling, webhook callbacks and result retrieval. Subscribe via the docs early-access waitlist to be notified when API access opens.

Can I get audit JSON output today?

Yes. Every Crawlux audit produces a JSON output downloadable from the audit dashboard. The JSON structure is documented on this page. Pro and Team tier audits also produce a white-label PDF report. Free tier audits produce a JSON output and a summary HTML report.

What authentication will the API use?

The API will use API key authentication via Bearer tokens. API keys will be generated from the Crawlux dashboard. Each API key gets scoped to a workspace and has configurable rate limits. Webhook callbacks will be authenticated via HMAC-SHA256 signatures using a shared secret.

Will SDKs be available?

Two SDKs are planned for the Q4 2026 launch. A Node.js SDK published to npm under the package name crawlux-sdk. A Python SDK published to PyPI under the package name crawlux. Both SDKs will provide typed wrappers around the REST API plus helpers for common patterns like polling for audit completion.

What rate limits will the API have?

Rate limits will scale with tier. Free tier: 5 audits per month. Pro tier: 50 audits per month. Team tier: 200 audits per month. Enterprise tier (custom pricing): unlimited audits with dedicated infrastructure. All tiers include unlimited result retrieval calls. Webhook callbacks count separately and are not rate-limited.

How can I get notified when the API ships?

Three ways. First, email developers@crawlux.com with subject API Waitlist to join the early access list. Second, follow the changelog page for product updates. Third, run a free audit and reply to any of the email follow-ups confirming developer interest. Early access opens approximately 2 weeks before public API launch.

Docs · Authentication · Q4 2026

Authentication and API keys.

The Crawlux API uses Bearer token authentication. API keys are generated per workspace from the Crawlux dashboard. Each key gets scoped to a workspace with configurable rate limits. Two environments: test (free, synthetic data) and live (consumes tier quota, real audits).

// Section 01 · Authorization header

Bearer token format and request structure.

Every authenticated API request must include an Authorization header with a valid API key. The format follows RFC 6750: Bearer token. Content-Type for any POST or PUT body must be application/json.

auth-headers

Authorization: Bearer crl_live_8f3k29vJ7nQa4b8c92eP3kqM
Content-Type: application/json

Keys come in two environments: crl_test_ for sandbox testing and crl_live_ for production audits. The prefix tells you immediately which environment a key belongs to, which prevents the common pattern of accidentally hitting production with test code or vice versa.

// Section 02 · Test mode

Test mode is free and returns realistic synthetic data.

Test mode keys (crl_test_) return realistic but synthetic audit data without consuming quota. The synthetic data follows the same JSON schema as live audits including score distributions, findings arrays and analyzer codes. Useful for building integrations without paying for real audits during development.

What test mode returns: deterministic synthetic audits keyed by domain string. Calling POST /audits twice with the same test key and same domain returns the same audit_id and same findings. This makes integration tests reproducible. Live mode is different: every audit triggers a real crawl and produces a new audit_id.

What test mode does not include: webhook callbacks to your endpoint (test webhooks are sent to a mock URL that returns 200 instantly so retry logic does not engage), PDF generation (synthetic PDFs return a stub document with the same schema as real PDFs), and rate limiting (test mode is unrestricted).

// Section 03 · Key management

Generating, rotating and revoking keys.

Keys are generated from the Crawlux dashboard under Settings → API Keys. Each workspace can have unlimited keys. At creation time, the key is displayed once. Crawlux does not store the key in plaintext, so it cannot be retrieved after creation. Store it in a secret manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, environment variables in your CI/CD platform) before closing the creation dialog.

Rotation is supported. Generate a new key, update your applications to use it, then revoke the old key. Crawlux does not enforce rotation cadence but recommends quarterly rotation for production keys. Compromised keys should be revoked immediately from the dashboard; the revocation takes effect within 30 seconds.

// Section 04 · Webhook signatures

Webhooks use a separate signing secret.

Webhook callbacks use HMAC-SHA256 signature verification, separate from API key authentication. The signing secret is configured per webhook (auto-generated at webhook creation, displayed once) and used to compute the X-Crawlux-Signature header on every webhook POST. See the webhooks reference for the verification pattern.

// Section 05 · Security practices

Recommended patterns.

Never embed live keys in client-side code. Frontend JavaScript is public. Use a backend proxy that holds the live key and calls Crawlux on behalf of authenticated frontend users.
Separate keys per environment. Different keys for dev, staging and production. Compromise of one environment does not require rotation of the others.
Restrict by IP if possible. Team tier accounts can configure IP allowlists per key from the dashboard. Restrict production keys to your production egress IPs.
Audit key usage. The dashboard shows last-used timestamp per key. Keys with last-used over 90 days ago are candidates for revocation.

// Related docs

Where to go from here.

REST API reference — full endpoint surface
Rate limits — per-tier quotas
Webhooks reference — signature verification details

Run a free audit and download the JSON

The fastest way to evaluate the audit JSON for integration: run a real audit on your own domain and inspect the output. Free first audit per domain.

Join API waitlist

JSON output live · Webhooks live · API Q4 2026 · 2-week early access window