Skip to main content

Overview

Pwnbook’s AI features — the in-app chat assistant, PR threat model analysis, and AI-assisted report writing — require at least one AI provider to be configured with a valid API key. AI providers are configured by server admins in the admin panel. Pwnbook supports:
  • Anthropic (Claude models) — recommended for security-focused tasks
  • OpenAI (GPT models)
Both providers can be configured simultaneously, allowing you to designate a default while keeping a fallback available.

Adding an Anthropic API key

  1. Obtain an API key from console.anthropic.com.
  2. Go to Server AdminAI Providers.
  3. Click Add ProviderAnthropic.
  4. Paste your API key in the API Key field.
  5. Select the default model to use (e.g., claude-opus-4-5, claude-sonnet-4-5).
  6. Click Save.
Pwnbook validates the key by making a test API call. If the key is invalid or has insufficient permissions, you’ll see an error.
Use a dedicated API key for Pwnbook rather than a shared key used by other services. This makes it easy to rotate the key without affecting other systems and allows you to monitor usage specifically for Pwnbook.

Adding an OpenAI API key

  1. Obtain an API key from platform.openai.com.
  2. Go to Server AdminAI Providers.
  3. Click Add ProviderOpenAI.
  4. Paste your API key in the API Key field.
  5. Select the default model (e.g., gpt-4o, gpt-4-turbo).
  6. Click Save.

Setting the default provider

If you have multiple providers configured, designate one as the default:
  1. Go to Server AdminAI Providers.
  2. Click Set as Default next to the provider you want to use by default.
The default provider is used for all AI features unless overridden by user preferences (if user-level provider selection is enabled).

Enabling and disabling AI features

Individual AI features can be enabled or disabled independently:
FeatureDescription
AI Chat (authenticated)In-app chat assistant for logged-in users
AI Chat (public)Public-facing AI chat that doesn’t require a Pwnbook account
PR threat model analysisAutomatic threat analysis on GitHub pull requests
AI report assistanceAI-powered suggestions in the report editor
To configure feature toggles:
  1. Go to Server AdminAI ProvidersFeature Settings.
  2. Toggle the features you want to enable or disable.
  3. Click Save.

Monitoring AI usage

The AI Providers admin page shows basic usage metrics:
  • Total API calls made per provider
  • Token consumption (input and output tokens)
  • Cost estimate (based on provider pricing)
  • Errors and failed calls
This helps you track spending and identify unusual usage patterns.
Usage data is aggregated at the platform level. Pwnbook does not store individual conversation content — only metadata (call counts, token usage, timestamps).

Rotating API keys

To rotate an AI provider’s API key:
  1. Generate a new API key in the provider’s console (Anthropic or OpenAI).
  2. Go to Server AdminAI Providers.
  3. Click Edit on the provider.
  4. Replace the existing API key with the new one.
  5. Click Save.
Pwnbook validates the new key before saving. The old key can be revoked from the provider’s console after the new key is confirmed working.

Using environment variables

As an alternative to configuring API keys through the admin UI, you can set them as environment variables: 
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...
Keys set via environment variables are treated as the default provider configuration and are visible (but not editable) in the admin UI. To override them, use the admin UI to add additional provider configurations.
Avoid hardcoding API keys in your docker-compose.yml or committing them to version control. Use a .env file or a secrets manager.