Authentication
Every request to /api/v1/* (except /health and /openapi.json) requires an API key.
Header formats
Both formats are accepted; pick whichever your client prefers.
http
x-api-key: iv_live_abc123def456...http
Authorization: Bearer iv_live_abc123def456...Issuing a key
- Sign in and open
/app/developer. - Click Create key, give it a name (e.g.
prod-ingest), pick scopes. - The raw key is shown once. Copy it into a secret store; we only persist a sha256 hash.
Scopes
| Scope | Allows |
|---|---|
| read | All GET endpoints |
| write | read + state-changing endpoints (e.g. POST /api/v1/contracts/:id/score) |
| admin | all of the above + admin endpoints; only available to admin users |
Test vs live keys
Live keys (iv_live_…) require an active Developer plan. Test keys (iv_test_…) are available to any signed-in user and are capped at 30 requests/minute. Both hit the same data set today; a true sandbox partition lands in Phase 5.
Revoking + rotation
Revoke from the dashboard at any time; revoked keys 401 immediately. Rotate by issuing a new key, updating your client, then revoking the old one.
Storing keys
Treat keys like passwords. Never commit them, ship them in client-side bundles, or paste them in URLs. Store in environment variables or a secret manager.