/
RegExLab

Authentication & Security

Protect Your RegExLab Workspace

Master Regular Expressions in Real-Time

API Keys

Generate and Manage API Keys

Every RegExLab team account supports up to 12 active API keys. Keys are generated through the Security Dashboard under Settings > API Access and are scoped to specific workspaces, test suites, and rate-limit tiers.

When you create a new key, you'll assign it a label (e.g., ci-pipeline-staging), select the workspaces it can access, and choose a permission level: Read (view patterns and test results), Write (create and modify regex patterns, run benchmarks), or Admin (manage team members, rotate keys, adjust scopes). Keys are 48-character hex strings prefixed with rlx_ and are displayed only once at creation. Store them in your secrets manager — GitHub Secrets, HashiCorp Vault, or AWS Secrets Manager all work.

Each key carries a rate limit based on your plan: Free tiers are capped at 60 requests per minute, Pro at 600 rpm, and Enterprise at 3,000 rpm with burst allowance. Exceeding your quota returns a 429 Too Many Requests response with a Retry-After header. You can rotate a key at any time from the dashboard; the old key remains valid for a 24-hour grace period to let you update your integrations without downtime.

Read-Only Access

Use for CI/CD pipelines that validate regex patterns against stored test suites without modifying anything. Ideal for pull-request checks and automated regression testing.

Write Access

Grants the ability to create new patterns, update existing ones, and execute benchmark runs. Recommended for deployment scripts and automated pattern optimization workflows.

Admin Access

Full control over team settings, member invitations, key rotation, and workspace configuration. Limit these keys to service accounts used by your DevOps team.

Go to API Dashboard Read the API Reference

OAuth 2.0

Single Sign-On with OAuth 2.0

RegExLab supports OAuth 2.0 authorization code flow with PKCE for secure, passwordless team authentication. Connect your existing identity provider so developers can sign in with one click — no separate credentials to manage.

We currently support Google Workspace, GitHub, GitLab, Microsoft Entra ID (Azure AD), and Okta out of the box. For custom providers, any OpenID Connect-compliant IdP works through our generic OAuth 2.0 connector. During setup, you'll register RegExLab as a third-party application in your IdP's developer console, provide the client ID and secret, and configure the redirect URI to point to https://app.regexlab.com/oauth/callback.

After initial authentication, RegExLab receives an ID token and an access token. The ID token establishes the user's identity (email, name, organization), and the access token is used for subsequent API calls on the user's behalf. Tokens are short-lived — access tokens expire after 30 minutes, and refresh tokens are valid for 14 days. RegExLab automatically handles token refresh behind the scenes so your team stays authenticated without interruption.

Enterprise customers can enforce SSO by restricting login methods to OAuth-only, disabling email/password authentication entirely. This ensures every team member authenticates through your central identity provider, making it straightforward to revoke access when someone leaves the organization.

Google Workspace

Sign in with your company Google account. Works with Google's security keys, 2-Step Verification, and Advanced Protection Program.

GitHub / GitLab

Authenticate using your developer platform account. Permissions are mapped to your organization membership automatically.

Microsoft Entra ID

Enterprise-grade SSO with conditional access policies, MFA enforcement, and audit logging through Microsoft's identity platform.

Okta

Pre-built Okta integration with adaptive authentication, session management, and seamless provisioning via SCIM.

Configure SSO

Security Best Practices

Keep Your Team Account Secure

A few disciplined habits go a long way in protecting your regex patterns, test data, and team collaboration space. Below are the practices we recommend for every RegExLab organization.

Rotate Keys on a Schedule

Set a quarterly rotation policy for all API keys. Use the 24-hour grace period to update CI/CD configs before the old key expires. Log every rotation in your change-management system.

Apply Least-Privilege Scopes

Never give a key Admin access unless it's strictly necessary. A deployment script that only reads patterns should use a Read-only key. Narrow scopes limit blast radius if a key leaks.

Enable Audit Logging

Turn on the audit log in your Security Dashboard to track every key creation, scope change, and member invitation. Logs are retained for 90 days on Pro plans and 365 days on Enterprise.

Require Multi-Factor Authentication

Enforce TOTP or hardware security keys for all team members. MFA can be required at the organization level under Settings > Authentication > MFA Policy.

Review Member Access Quarterly

Audit your team roster every quarter. Remove contractors who've left, downgrade inactive members, and confirm that everyone still needs their current permission level.

Lock Down OAuth Redirect URIs

When configuring your IdP, whitelist only https://app.regexlab.com/oauth/callback as the redirect URI. Never accept wildcard or localhost URIs in production.

If you suspect a key has been compromised, revoke it immediately from the Security Dashboard. The revoked key is invalidated within 60 seconds across all RegExLab endpoints. For Enterprise customers, our security team is available at security@regexlab.com and can assist with incident response within 4 hours during business hours.

Open Security Dashboard Download Security Checklist (PDF)