Authentication
Valora uses bearer authentication. The endpoint page tells you which token type is accepted.
Authentication methods
| Method | Header | Use when |
|---|---|---|
| Long-lived API token | Authorization: Bearer vl_... or Authorization: Bearer sd_... |
The endpoint requires long-lived API token authentication. |
| JWT | Authorization: Bearer eyJ... |
The endpoint requires JWT authentication. |
Do not mix token types. A JWT will not authenticate an endpoint that expects a long-lived API token, and a long-lived API token will not authenticate an endpoint that expects a JWT.
Token audiences
Some endpoints are restricted by account type.
| Audience | Meaning |
|---|---|
| Customer | The token belongs to a customer account and can access customer-scoped resources. |
| Employee | The token belongs to an employee account and can access employee-scoped resources where permitted. |
If the token is valid but belongs to the wrong audience, the API returns 403 Forbidden.
Required headers
Authorization: Bearer {token}
Accept: application/json
Use Content-Type: application/json when sending a JSON request body.
Token safety
- Store tokens in a secrets manager or encrypted environment variable.
- Never put tokens in URLs.
- Never commit tokens to source control.
- Rotate tokens when team access changes or a token may have been exposed.
- Prefer sandbox tokens while developing or testing.
Warning
For security reasons, we do not store the plain-text value of generated tokens.
Make sure to copy and store your token securely when it is created, as you will not be able to view it again.
Next steps
- Read Long-Lived API Token Authentication for production and sandbox API tokens.
- Read JWT Authentication for short-lived session tokens.