Authentication
API keys, scopes, and the Authorization header used by every /api/v1 request.
Every /api/v1 request authenticates with an API key passed as a bearer token:
Authorization: Bearer vlr_live_...Keys look like vlr_live_ followed by a random secret. Valara stores only a
hash of the key plus a short display prefix, so the full secret is shown to you
exactly once when the key is created. Treat it like a password.
Creating a key
Once you have an account, you provision keys yourself:
- Open Settings → API Keys in the dashboard.
- Name the key for where it runs (e.g. "CI pipeline") and choose its scopes.
- Copy the full secret. It is shown once; store it before you leave the page.
Key management is session-authenticated (the dashboard, or the CLI's device
session). An API key cannot create or revoke keys, so a leaked key can
never mint new ones or escalate its own scopes. The same actions are available
programmatically with a session credential at POST / GET /api/v1/keys and
DELETE /api/v1/keys/{id}.
Scopes
Each key carries a set of scopes. A request that needs a scope the key lacks is
rejected with 403 forbidden before any work happens (so a read-only key can
never start a billable review).
| Scope | Grants |
|---|---|
reviews:read | List reviews, read review status, and fetch results. |
reviews:write | Submit new reviews (POST /api/v1/reviews). |
reviews:delete | Delete a review. |
How a request is resolved
- A
Authorization: Bearer vlr_live_…header is verified against your key. - The key resolves to the owning Valara user; reviews, credits, and history are scoped to that user.
- The required scope for the endpoint is enforced.
Browser sessions (the Valara web app) authenticate with cookies and carry full access. API keys are the path for machines, agents, and CI.
Failure modes
| Status | Type | Meaning |
|---|---|---|
401 | unauthorized | Missing, malformed, revoked, or expired key. |
403 | forbidden | Valid key, but it lacks the scope the endpoint requires. |
Both use the standard error envelope. Credits remain the hard
financial ceiling: a review that would exceed your balance returns 402
insufficient_credits rather than running.