Authentication
All /v1/* requests require a bearer token in the Authorization header:
Authorization: Bearer vrk_...
Keys are issued per-tenant. Each tenant has exactly one active key at a time.
Rotation
Ask your admin to rotate your key any time. Rotation is instant — the old key stops working the moment a new one is issued. Plan for at least a brief window during rotation; we don't support overlapping keys (yet).
Storage
Treat the key like a database password. Don't commit it. Don't put it in browser code. Don't share it across services that should have independent revocation surface area — if you want different services to be revocable independently, ask for separate tenants.
Errors
| Code | Meaning |
|---|---|
| 401 | Missing, malformed, or unknown bearer token |
| 403 | Bearer is valid but doesn't own the resource (e.g. another tenant's session id) |
A missing Authorization header and a wrong key both return 401; we don't distinguish.