Authentication
Authenticate requests to the Palveron API.
Every request to the Palveron API is authenticated with a bearer token. Palveron issues three key types — pick the one that matches the caller.
curl -H "Authorization: Bearer pv_live_..." https://gateway.palveron.com/api/v1/verifyKey types
| Prefix | Used by | Lifecycle |
|---|---|---|
pv_live_ / pv_test_ | Server-side SDKs and your own backend | Issued per project, rotatable in Integration → Quickstart |
ext_ | Browser Guard extensions and webhook integrations | Issued per extension; revocable independently |
agent_ | Individual AI agents | Bound to an agent's lifecycle — disabled automatically when the agent is paused, suspended, or revoked |
Use the most narrowly-scoped key the caller can use. A leaked agent_ key only exposes one agent; a leaked pv_live_ key exposes the whole project.
Never commit keys to source control. The dashboard's Integration tab shows each key exactly once on creation. Store them in your secrets manager (AWS Secrets Manager, GCP Secret Manager, Vault) or in your CI/CD pipeline's secret store.
Test vs. live mode
pv_test_keys hit a sandbox project. Traces, policy evaluations, and Flare attestations are flagged as test data and never charged.pv_live_keys hit production. Usage counts against your contract; Flare anchoring runs on the network configured for the project.
Error responses
| Status | Code | Meaning |
|---|---|---|
401 | MISSING_API_KEY | No Authorization header was sent |
401 | INVALID_API_KEY | The key is malformed or unknown |
401 | EXPIRED_API_KEY | The key was revoked or its parent agent is no longer ACTIVE |
403 | INSUFFICIENT_PERMISSIONS | The key is valid but the caller can't perform this action |
403 | ENTITLEMENT_DENIED | The endpoint requires a tier higher than the project's plan |
429 | RATE_LIMIT_EXCEEDED | Plan quota or per-minute burst limit hit; retry after the Retry-After header |
All errors return a JSON body:
{
"error": {
"code": "INVALID_API_KEY",
"message": "Human-readable description.",
"request_id": "pv_req_01HVB..."
}
}Include request_id when contacting support — it lets us find the exact trace in our logs.
Rate limits
Plan-level monthly quotas plus a per-key burst limit of 100 requests per second. The official SDKs retry transient 429s with exponential backoff and jitter; build the same behavior into custom clients.