https://inference.varo.cloud/v1 must include a valid API key in the Authorization header using the Bearer token scheme. Without a properly formatted key, requests are rejected before they reach any resource endpoint.
Generate an API key
You can create as many API keys as your plan allows. To generate a new key:- Open the Varo Cloud dashboard and sign in to your account.
- Navigate to Settings → API Keys in the sidebar.
- Click New API Key.
- Enter a descriptive name for the key (for example,
ci-pipeline-prodormonitoring-service). - Click Create and immediately copy the key that appears.
Using your API key
Pass your API key in theAuthorization header of every request. The header value must follow the format Bearer YOUR_API_KEY.
API key scopes
All API keys generated in Varo Cloud are scoped to your organization. A key has read and write access to every resource within your organization, including projects, deployments, environments, and team members. Because keys carry broad permissions, the best practice is to create a dedicated key for each application or integration rather than sharing a single key:- Create one key per CI/CD pipeline (for example, separate keys for your staging pipeline and production pipeline).
- Create separate keys for third-party integrations so you can revoke access to a single integration without affecting others.
- Name each key clearly so you can identify its purpose at a glance in the API Keys list.
Rotate and revoke keys
If a key is compromised or you need to cycle credentials as part of your security policy, you can rotate or revoke it at any time from Settings → API Keys. Click the ••• menu next to the key you want to manage and choose either Rotate or Revoke.- Rotate — Immediately invalidates the existing key and generates a replacement. Update your applications with the new key as quickly as possible.
- Revoke — Permanently deletes the key with no replacement. The key cannot be recovered.
Revoking a key immediately invalidates it. Update your applications before revoking to avoid service interruptions caused by failed authentication.
Authentication errors
When a request fails due to an authentication or authorization issue, the API returns a JSON error body alongside an HTTP status code. The table below describes the most common authentication-related errors.| Status | Code | Meaning |
|---|---|---|
401 | unauthorized | The API key is missing, malformed, or no longer valid. |
403 | forbidden | The API key is valid but does not have permission to access the requested resource. |
429 | rate_limited | Your key has exceeded the allowed request rate. Wait before retrying or review your plan limits. |
code field in your error handling logic to distinguish between authentication failures and business-logic errors.