Authentication
Skunivo public API integrations authenticate with API keys. Keys are server-side credentials scoped to one organization, one environment and a set of allowed scopes.
Required Values
Section titled “Required Values”Every integration needs:
baseUrl: the API base URL for the target environment.organizationId: the customer organization id.apiKey: askv_test_...orskv_live_...API key.
The organization id appears in public API paths:
GET /v1/organizations/{organizationId}/balancesSend the API key as a bearer token:
Authorization: Bearer skv_test_...Test And Live Environments
Section titled “Test And Live Environments”Use test keys for development, CI smoke tests and sandbox-like validation. Use live keys only from production server-side systems.
API keys encode their environment. Public API requests authenticated with API keys do not need X-Skunivo-Environment.
Server-Side Use Only
Section titled “Server-Side Use Only”Do not expose API keys in browser code, mobile apps or public static assets. Browser-facing products should call your own backend, and your backend should call Skunivo.
Recommended pattern:
- The browser authenticates with your application.
- Your backend authorizes the user action.
- Your backend calls Skunivo with a server-side API key.
- Your backend returns only the data the browser is allowed to see.
Limited browser tokens are not part of the current public API surface. Treat them as a future capability until they are explicitly documented.
Rotation And Logging
Section titled “Rotation And Logging”- Store API keys in a secret manager or environment variable system.
- Do not commit
.envfiles with real values. - Do not log full API keys.
- Include
X-Request-Idin requests and logs so support can correlate failures without exposing secrets.