For Creators

Authentication

API keys, the Authorization header, rotation, and common auth error responses

API key authentication

All /api/v1 routes expect an API key issued from the product. There is no separate OAuth flow for these endpoints—the key represents the user who created it, scoped to projects they can access in their organization.

Authorization header

Send the raw key as a Bearer token:

Authorization: Bearer dlv_xxxxxxxxxxxxxxxx

Keys must start with dlv_. Any other scheme or prefix returns 401 Unauthorized.

Creating and managing keys

Location — Settings → API Keys in the Aural web app.
Name — Use a descriptive label so you can tell production keys from experiments.
Expiry — Optional expiration; expired keys receive 401 responses.
Revocation — Deactivating or deleting a key takes effect immediately; in-flight requests may fail on the next call.

Treat keys like passwords

Do not commit keys to source control, expose them in client-side code, or log them. Prefer environment variables and a secret manager in production. Rotate keys if they leak.

Error responses

Errors use a JSON body shaped like:

json

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or revoked API key."
  }
}

401 — Missing header, wrong prefix, unknown key, revoked key, or expired key.
403 — Authenticated but not allowed (for example no organization resolved for the key user, or plan limits).

Project access

The key can only see interviews and sessions in projects your user can access. If the key user loses access to a project, API calls for those resources return 404 or 403 as appropriate.

Quick Start — Developer API Setup Guide API Reference