Kovadocs

API Keys

Manage API keys for programmatic access to Kova.

What Are API Keys?

API keys provide an alternative to JWT tokens for authenticating API requests. They are designed for programmatic access -- scripts, CI/CD pipelines, and backend integrations that need persistent credentials without re-authenticating.

Key Format

Each API key consists of two parts:

PartDescriptionExample
PrefixPublic identifier used for lookupkova_a1b2c3d4
SecretPrivate value used for validatione5f6g7h8i9j0...

The full key is displayed once at creation in the format kova_a1b2c3d4.e5f6g7h8i9j0...

Store Your Key Securely

The full API key is only shown once at creation time. It cannot be retrieved later. Store it in a secure location like a secrets manager or environment variable.

Creating an API Key

1

Open API Key Settings

Navigate to Settings → API Keys in the dashboard.

2

Create New Key

Click Create API Key and enter a descriptive name (e.g., "CI Pipeline" or "Monitoring Bot").

3

Copy the Key

Copy the full key immediately. This is the only time it will be displayed.

4

Store Securely

Save the key in your secrets manager, .env file, or CI/CD secret store.

Using API Keys

Include the key in the Authorization header with the Bearer scheme, the same way you would use a JWT token:

curl -H "Authorization: Bearer kova_a1b2c3d4.e5f6g7h8i9j0..." \
  https://app.kovanetwork.com/api/v1/deployments

API keys work with all endpoints that accept JWT authentication.

Revoking Keys

To revoke an API key:

  1. Navigate to Settings → API Keys
  2. Find the key by its name or prefix
  3. Click Revoke
curl -X DELETE \
  -H "Authorization: Bearer TOKEN" \
  https://app.kovanetwork.com/api/v1/api-keys/kova_a1b2c3d4

Revocation Is Immediate

Revoking a key takes effect immediately. Any requests using the revoked key will fail with 401 Unauthorized. This action cannot be undone -- you must create a new key.

Security Details

  • API key secrets are hashed with argon2 before storage -- Kova never stores the plaintext secret
  • Only the prefix is stored in plaintext, used to look up the key for validation
  • Keys are cached in memory after first validation to avoid repeated hashing overhead
  • Each key is scoped to the user account that created it
  • There is no limit on the number of active keys per account

Rate Limits

API keys share the same rate limits as JWT tokens:

  • 100 requests per minute per key
  • 1000 requests per hour per key