Authentication

Every request to the Veriloop API authenticates with a per-workspace bearer token. There are no user-level keys.

Key format

Keys look like vl_live_ followed by 40+ URL-safe characters. The dashboard only stores a SHA-256 hash of each key — the plaintext is shown once at creation.

Sending the key

http
Authorization: Bearer vl_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Rotation & revocation

Generate a second key, deploy it, then revoke the old one from Dashboard → API keys. Revocation takes effect on the next request — we check status on every call.

Common mistakes

MistakeSymptomFix
Missing the Bearer prefix401 Missing or invalid API keyUse Authorization: Bearer vl_live_…
Sending the key as a query string401Always use the Authorization header
Using a revoked key401 API key invalid or revokedGenerate a new key and update the secret
Calling /api/v1/... instead of /api/public/v1/...404All public endpoints are under /api/public/v1/
Never ship a key in browser code unless the calling page is your own dashboard. Any key in JS source is recoverable by anyone visiting the site.