API Authentication
Authenticate Rivya API requests with Bearer API keys, scoped permissions, one-time secret display, revocation, and rotation.
Last reviewed on 2026/05/10
Rivya API uses API keys for server-to-server access.
An API key is not the same as a browser login session. Do not use cookies, Better Auth session state, or a personal browser token as a public API credential.
Header Format
Send the key in the Authorization header:
Authorization: Bearer rvya_sk_...The full key is shown only once when created. Rivya stores a hash and a visible prefix, not the full secret.
Create A Key
- Sign in to Rivya.
- Open API Keys settings.
- Create a key with the scopes you need.
- Copy the full key immediately.
- Store it in a server-side secret manager or environment variable.
Do not put the key in client-side JavaScript, mobile app bundles, public repos, analytics events, or logs.
Current Scopes
The first version documents these scopes:
models:readgenerations:creategenerations:readfiles:createfiles:readcredits:readwebhooks:managechat:createchat:read
New keys created in Settings include the documented scopes by default. Older keys may need to be recreated before using Files API, API Webhooks, or Chat API.
Revoke And Rotate
If a key is exposed:
- Revoke the old key from Settings.
- Create a new key.
- Update your server-side secret.
- Confirm the new key works with
GET /api/v1/credits. - Remove the old key from build systems, logs, and deployment variables.
Revoked keys return api_key_revoked.
Authentication Errors
Common authentication errors:
api_key_missingapi_key_invalidapi_key_revokedapi_key_expiredapi_scope_deniedpublic_api_disabled
See API Errors and Limits for the full public error table.