API ReferenceStable v1
Authentication
Tenant-scoped auth headers, signature model, and key lifecycle requirements.
Last updated Mar 4, 2026
Required Headers
/v1/*RequiredAll write endpoints require bearer authentication and explicit tenant context.
Headers
| Header | Required | Description |
|---|---|---|
Authorization | yes | Bearer <token> |
X-Tenant-Id | yes | Tenant scope for access control and audit boundaries. |
Content-Type | yes | application/json for JSON operations. |
Authorization: Bearer <token>
X-Tenant-Id: <tenant_id>
Content-Type: application/json
Optional Request Signing (Recommended)
For high-impact operations, add deterministic request signatures.
/v1/*RecommendedUse timestamped HMAC signatures to reduce replay and tampering risk.
Signature headers
| Header | Required | Description |
|---|---|---|
X-VaryOn-Timestamp | yes | Unix timestamp in seconds. |
X-VaryOn-Signature | yes | sha256=<hmac> over canonical request input. |
Canonical input
- HTTP method
- request path
- body hash
- tenant id
- timestamp
X-VaryOn-Timestamp: 1700000000
X-VaryOn-Signature: sha256=<hmac>
Key Rotation Policy
- Provision overlapping active keys.
- Run a dual-signing verification window.
- Revoke prior key after confirmation.
Enforce least privilege by product surface; do not share keys across tenants.