Authentication

Every request to /api/v1 must carry a valid API key. There are two ways to supply it.

Request header (preferred)

X-Api-Key: ev_your_api_key_here

This is the recommended approach. The key is never logged by proxies that only record the request URL.

Query parameter (alternative)

GET /api/v1/credits?api_key=ev_your_api_key_here

Useful for quick manual testing in a browser or curl one-liner. Avoid in production — many logging systems record query strings, which would expose your key in plaintext.

Key storage

Keys are stored as SHA-256 hashes. A revoked key returns 401 immediately.

Error responses

Missing or invalid key:

{ "status": 401, "error": "API key required." }
{ "status": 401, "error": "Invalid or revoked API key." }

Test-mode keys

Keys that begin with ev_test_ are test-mode keys. They return instant canned results, cost zero credits, and are safe to use in CI pipelines. See Test mode.