Skip to main content
Varo Cloud uses API key authentication to secure all requests to the REST API. Every call you make to https://inference.varo.cloud/v1 must include a valid API key in the Authorization header using the Bearer token scheme. Without a properly formatted key, requests are rejected before they reach any resource endpoint.

Generate an API key

You can create as many API keys as your plan allows. To generate a new key:
  1. Open the Varo Cloud dashboard and sign in to your account.
  2. Navigate to Settings → API Keys in the sidebar.
  3. Click New API Key.
  4. Enter a descriptive name for the key (for example, ci-pipeline-prod or monitoring-service).
  5. Click Create and immediately copy the key that appears.
You will only see the full key once. Store it in a secrets manager such as AWS Secrets Manager, HashiCorp Vault, or your CI/CD platform’s encrypted environment variables. There is no way to retrieve the key value after you close this dialog.

Using your API key

Pass your API key in the Authorization header of every request. The header value must follow the format Bearer YOUR_API_KEY.
curl https://inference.varo.cloud/v1/projects \
  -H "Authorization: Bearer YOUR_API_KEY"
const response = await fetch('https://inference.varo.cloud/v1/projects', {
  headers: {
    'Authorization': `Bearer ${process.env.VARO_API_KEY}`
  }
});
const data = await response.json();
Reading the key from an environment variable (as shown in the JavaScript example) is strongly recommended. Avoid hardcoding key values directly in source code or committing them to version control.

API key scopes

All API keys generated in Varo Cloud are scoped to your organization. A key has read and write access to every resource within your organization, including projects, deployments, environments, and team members. Because keys carry broad permissions, the best practice is to create a dedicated key for each application or integration rather than sharing a single key:
  • Create one key per CI/CD pipeline (for example, separate keys for your staging pipeline and production pipeline).
  • Create separate keys for third-party integrations so you can revoke access to a single integration without affecting others.
  • Name each key clearly so you can identify its purpose at a glance in the API Keys list.

Rotate and revoke keys

If a key is compromised or you need to cycle credentials as part of your security policy, you can rotate or revoke it at any time from Settings → API Keys. Click the ••• menu next to the key you want to manage and choose either Rotate or Revoke.
  • Rotate — Immediately invalidates the existing key and generates a replacement. Update your applications with the new key as quickly as possible.
  • Revoke — Permanently deletes the key with no replacement. The key cannot be recovered.
Revoking a key immediately invalidates it. Update your applications before revoking to avoid service interruptions caused by failed authentication.

Authentication errors

When a request fails due to an authentication or authorization issue, the API returns a JSON error body alongside an HTTP status code. The table below describes the most common authentication-related errors.
StatusCodeMeaning
401unauthorizedThe API key is missing, malformed, or no longer valid.
403forbiddenThe API key is valid but does not have permission to access the requested resource.
429rate_limitedYour key has exceeded the allowed request rate. Wait before retrying or review your plan limits.
All error responses follow a consistent JSON envelope:
{
  "error": {
    "code": "unauthorized",
    "message": "No valid API key provided.",
    "status": 401
  }
}
Use the code field in your error handling logic to distinguish between authentication failures and business-logic errors.