Authentication

Every call to api.salfio.com/v1 must carry a Bearer token.

GET /v1/health HTTP/1.1
Host: api.salfio.com
Authorization: Bearer sk_live_<your-token>

Missing, malformed, revoked, or expired tokens yield 401 Unauthorized with the standard error envelope. No rate-limit counters are exposed on 401 responses.

Key types

Salfio issues two parallel kinds of keys:

Both are minted from the dashboard. Programmatic key management is explicitly out of scope — the API does not let you create or revoke keys over HTTP.

Mint a key

1. In the app, open Settings → API Keys.
2. Click Create key. Pick:
   • Name — a human-friendly label ("ingest-worker", "partner-xyz").
   • Type — User or Service (see table above).
3. Save. The full sk_live_… token is displayed once, immediately.
4. Copy it to your secret manager of choice. Salfio does not keep the plain-text token — it is stored as a hash. You cannot retrieve it again.

Rotate and revoke

• Rotate: mint a new key, ship it to your consumers, revoke the old one. There is no in-place rotation; this is intentional.
• Revoke: in Settings → API Keys, click Revoke. The key stops working within the auth cache TTL (≤10 seconds) — the app-side LRU cache invalidates the revoked entry on the next authentication attempt.

Every Service Key creation emits an audit log entry and an email to the organization owner. Treat Service Keys as you would any production secret.

Security notes

• Keys are ~190 bits of entropy (sk_live_ + 32 random bytes base62).
• Tokens are hashed at rest (argon2id); server-side compromise does not leak the plain-text.
• Organization limits: 10 User keys per user, 5 Service keys per organization. Exceeding returns 409 Conflict.

The "try it" panel on these docs

The interactive request panel on reference pages runs in your browser and sends your pasted token over the public internet. Use a test/revocable key for the in-browser panel. Never paste production keys. Revoke any key you test with in the dashboard when you're done.