Authentication
All /api/v1/* endpoints require an API key sent in the Authorization header as a Bearer token. No cookies, no session, just the key.
http
Authorization: Bearer yvt_live_...Getting a key
- Sign in and visit your API keys page.
- Click Generate API key.
- Copy the plaintext key immediately. It is shown exactly once.
One key per account
Each account has one active API key. Regenerate it to rotate credentials. The previous key stops working immediately.
Authentication errors
Auth failures always return 401 unauthorized. The message deliberately does not distinguish between a key that never existed and a key that was revoked.
| Sent | Response |
|---|---|
No Authorization header | 401 unauthorized: Missing API key |
Authorization without Bearer prefix | 401 unauthorized: Missing API key |
Bearer token not starting with yvt_live_ | 401 unauthorized: Invalid API key |
| Unknown or revoked key | 401 unauthorized: Invalid API key |
These 401s do not carry the X-RateLimit-* headers because rate limits apply only after authentication succeeds.
Storage tips
- Treat the key like a password.
- Inject via environment variable (
YVT_API_KEY), never commit it to source control. - If you suspect a leak, regenerate immediately. The old key stops working on the next request.