Authentication
Every request to /api/v1 must carry a valid API key. There are two ways to supply it.
Request header (preferred)
X-Api-Key: ev_your_api_key_here
This is the recommended approach. The key is never logged by proxies that only record the request URL.
Query parameter (alternative)
GET /api/v1/credits?api_key=ev_your_api_key_here
Useful for quick manual testing in a browser or curl one-liner. Avoid in production — many logging systems record query strings, which would expose your key in plaintext.
Key storage
Keys are stored as SHA-256 hashes. A revoked key returns 401 immediately.
Error responses
Missing or invalid key:
{ "status": 401, "error": "API key required." }
{ "status": 401, "error": "Invalid or revoked API key." }
Test-mode keys
Keys that begin with ev_test_ are test-mode keys. They return instant canned results,
cost zero credits, and are safe to use in CI pipelines. See Test mode.