Authentication
How to authenticate with the Covala API using API keys.
Authentication
All Covala API requests require an API key passed in the X-API-Key header.
API key format
API keys follow the format sk_cvl_live_ followed by a random string. The cvl identifies the key as a Covala key. Keep your key secret — it grants full access to the API under your account's rate limits.
| Prefix | Environment | Type | Use case |
|---|---|---|---|
sk_cvl_live_ | Production | Secret | Server-side, full access |
pk_cvl_live_ | Production | Publishable | Client-side safe |
sk_cvl_test_ | Test | Secret | Development & testing |
pk_cvl_test_ | Test | Publishable | Client-side testing |
Making authenticated requests
Include your API key in every request:
curl https://api.covala.com/v2/products \
-H "X-API-Key: sk_cvl_live_your_key_here"You can also use Bearer token authentication:
curl https://api.covala.com/v2/products \
-H "Authorization: Bearer sk_cvl_live_your_key_here"Rate limits
Each API key has rate limits based on your plan:
| Plan | Requests/min | Monthly quota | Price |
|---|---|---|---|
| Free | 10 | 5,000 | $0 |
| Starter | 60 | 50,000 | $29/mo |
| Pro | 300 | 500,000 | $99/mo |
| Enterprise | 1,000 | 5,000,000 | Custom |
Rate limit headers are included in every response:
| Header | Description |
|---|---|
X-RateLimit-Limit | Requests allowed per window |
X-RateLimit-Remaining | Requests remaining in current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
X-MonthlyQuota-Limit | Monthly request quota |
X-MonthlyQuota-Remaining | Requests remaining this month |
When you exceed your rate limit, the API returns 429 Too Many Requests.
Security best practices
- Store your API key in environment variables, never in code
- Rotate your key immediately if you suspect it has been compromised
- Use separate keys for development (
sk_cvl_test_) and production (sk_cvl_live_)