Authentication Overview

Valora uses two authentication methods depending on the endpoint you are calling.

API hosts:

• Production https://valora.spotahome.com/ (sandbox compatible);
• Staging / testing https://valora-testing.laravel.cloud/ (sandbox compatible).

Authentication methods

How authentication is determined

Each endpoint specifies which authentication method it requires. The endpoint documentation states the guard and token class. Sending a JWT to an auth:api route (or vice versa) typically returns 401. Using a valid token of the wrong class (customer vs employee) on class-restricted routes returns 403 from the Valora API middleware — see that endpoint's Authentication section.

Common rules

• Always send Accept: application/json on every request.
• Send your token in the Authorization: Bearer {token} header.
• Never put tokens in URLs or commit them to source control.
• Treat long-lived tokens like passwords — rotate them when compromised.
• HTTP rate limits: All /api/* routes use Laravel's api middleware group (throttle:api). Defaults are documented in Long-Lived API Token Authentication and JWT Authentication (guest vs authenticated buckets).
• Wrong token class: A missing or invalid bearer token usually yields 401 Unauthenticated. from the guard. A valid token for the wrong audience (for example a customer token on an employee-only route) yields 403 from CheckEmployeeApi / CheckCustomerApi — see the endpoint's Authentication table.

HTTP rate limiting

All requests to Valora API endpoints are rate limited to ensure fair usage and system stability. Limits vary depending on whether the request is authenticated and the type of user.

Notes

• Unauthenticated requests are limited per IP address.
• Authenticated requests are limited based on the user making the request.
• If a limit is exceeded, the API will return a 429 Too Many Requests response.

Endpoint guides

• Long-lived API token
• JWT authentication
• Passkey authentication