Concepts
Authentication
How to authenticate against the public API and the failure modes.
Every API call takes an Authorization: Bearer <token> header. The token
is your Olava API key.
API keys
Issued through the console at console.olava.dev. Keys are formatted as
olv_sk_<your-key>.
- You see the secret exactly once at creation. We do not retain a recoverable copy. Store the key in a password manager or secret store the moment you mint it. If you lose it, revoke the key and mint a new one.
- Subject to a per-key request rate limit. Default ceiling is roughly 10 requests per second; configurable per key by support if you need more.
- Revocable from the console; revocation stops further calls within seconds.
Failure modes
All auth failures return 401:
{ "detail": "invalid_api_key" }Possible detail values:
| Code | Cause |
|---|---|
missing_bearer_token | No Authorization: Bearer ... header. |
invalid_api_key | Key is malformed, unknown, or revoked. |
Key hygiene
- One key per environment. Separate keys for production, staging, and each developer. A leak only invalidates one key.
- Revoke unused keys. A revoked key stops working within seconds.
- Never commit keys to git. Use
.env, your CI's secret store, or a managed secret service. - Rotate periodically. Mint a new key, deploy it, then revoke the old one.