Authentication
Every /api/v1 request must send a valid API key in the Authorization header. Browser session cookies are not used for these routes.
Bearer token
Authorization: Bearer <token>Each route validates the key and required scopes before running handler logic.
When authentication fails
Invalid or missing Authorization on JSON routes returns 401 with the standard error object (see Errors).
401
{
"code": "UNAUTHORIZED",
"message": "Missing or invalid API key. Use Authorization: Bearer <token>."
}Token format
Tokens are opaque strings:
flv1_<lookup-uuid>_<secret>The full value is shown once when you create or rotate a key. The dashboard lists a masked prefix (for example flv1_550e8400…).
