Authentication
Every request to the Veriloop API authenticates with a per-workspace bearer token. There are no user-level keys.
Key format
Keys look like vl_live_ followed by 40+ URL-safe characters. The dashboard only stores a SHA-256 hash of each key — the plaintext is shown once at creation.
Sending the key
http
Authorization: Bearer vl_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxRotation & revocation
Generate a second key, deploy it, then revoke the old one from Dashboard → API keys. Revocation takes effect on the next request — we check status on every call.
Common mistakes
| Mistake | Symptom | Fix |
|---|---|---|
| Missing the Bearer prefix | 401 Missing or invalid API key | Use Authorization: Bearer vl_live_… |
| Sending the key as a query string | 401 | Always use the Authorization header |
| Using a revoked key | 401 API key invalid or revoked | Generate a new key and update the secret |
| Calling /api/v1/... instead of /api/public/v1/... | 404 | All public endpoints are under /api/public/v1/ |
Never ship a key in browser code unless the calling page is your own dashboard. Any key in JS source is recoverable by anyone visiting the site.