Authentication
All requests (except /healthz, /readyz, /v1/meta/*) require a bearer token.
Authorization: Bearer dv_live_0123456789abcdef0123456789abcdefKey types
| Prefix | Purpose | IP check |
|---|---|---|
dv_live_* | Production traffic | Enforced |
dv_test_* | CI, local dev, sandbox | Bypassed |
Create keys from your dashboard → API Keys. You can create, label, rotate, and revoke keys independently. Each key is scoped to its owning account — all usage counts toward the account's plan quota.
IP allowlisting
For dv_live_* keys, you can restrict calls to a CIDR list. Requests from outside the list
return 403 Forbidden.
203.0.113.10/32 # specific IP
198.51.100.0/24 # rangeSet allowed IPs from dashboard → API Keys → edit.
Best practices
- Generate separate keys per environment — prod, staging, CI, local.
- Use IP allowlisting on prod keys. Compromise blast radius = zero if your servers are the only IPs that work.
- Never embed
dv_live_*keys in mobile apps, web bundles, or public GitHub repos. - Rotate regularly — keys can be rotated from the dashboard with zero downtime (old key keeps working until you revoke it).
- Use environment variables — never hardcode keys.
WWW-Authenticate challenge
If you send a missing/invalid token, the response is 401 Unauthorized with:
WWW-Authenticate: Bearer realm="DivyAstroAPI"Session tokens (dashboard only)
The website dashboard uses a separate session JWT (issued by /v1/auth/login). Session tokens
and dv_live_* keys are not interchangeable — session tokens cannot call compute endpoints,
and dv_live_* keys cannot access dashboard routes.