Skip to content

Authentication

Skunivo public API integrations authenticate with API keys. Keys are server-side credentials scoped to one organization, one environment and a set of allowed scopes.

Every integration needs:

  • baseUrl: the API base URL for the target environment.
  • organizationId: the customer organization id.
  • apiKey: a skv_test_... or skv_live_... API key.

The organization id appears in public API paths:

GET /v1/organizations/{organizationId}/balances

Send the API key as a bearer token:

Authorization: Bearer skv_test_...

Use test keys for development, CI smoke tests and sandbox-like validation. Use live keys only from production server-side systems.

API keys encode their environment. Public API requests authenticated with API keys do not need X-Skunivo-Environment.

Do not expose API keys in browser code, mobile apps or public static assets. Browser-facing products should call your own backend, and your backend should call Skunivo.

Recommended pattern:

  1. The browser authenticates with your application.
  2. Your backend authorizes the user action.
  3. Your backend calls Skunivo with a server-side API key.
  4. Your backend returns only the data the browser is allowed to see.

Limited browser tokens are not part of the current public API surface. Treat them as a future capability until they are explicitly documented.

  • Store API keys in a secret manager or environment variable system.
  • Do not commit .env files with real values.
  • Do not log full API keys.
  • Include X-Request-Id in requests and logs so support can correlate failures without exposing secrets.