API Keys
API keys let you authenticate the Veriva CLI and HTTP API without going through the browser-based OAuth flow. They're also useful for CI/CD pipelines and automation.
Creating an API key
- Open the Veriva dashboard, click the gear icon in the sidebar, and go to Settings > API
- Click Create API Key
- Give your key a descriptive name (e.g., "CI Pipeline" or "VS Code")
- Copy the key immediately — it's only shown once
API keys start with vr_ and are approximately 50 characters long. The key is hashed before storage — Veriva never stores the plaintext key.
Using API keys
VS Code extension
The VS Code extension uses browser-based device authorization instead of token paste. Run Veriva: Sign in from the Command Palette and confirm the matching code in your browser.
CLI
# Direct login with key
veriva login --token vr_your_api_key_here
# Or via environment variable (useful for CI/CD)
export VERIVA_TOKEN=vr_your_api_key_here
veriva analyze --pr 123HTTP API
API keys can also be used directly in HTTP requests:
curl -H "Authorization: Bearer vr_your_api_key_here" \
https://api.veriva.dev/trpc/plan.currentKey limits by plan
| Plan | Max API keys | Rate limit |
|---|---|---|
| Hobby | 1 | 100 requests/hour |
| Team | 3 | 1,000 requests/hour |
| Scale | 10 | 10,000 requests/hour |
| Enterprise | Unlimited | Unlimited |
Revoking a key
To revoke an API key, open Settings > API from the gear icon in the sidebar and click Revoke next to the key. Revoked keys are immediately invalidated — any CLI or API sessions using that key will need to re-authenticate.
Security best practices
Never commit API keys
- Use descriptive names so you can identify which key is used where (e.g., "GitHub Actions", "Local dev").
- Rotate keys periodically. Create a new key, update your integrations, then revoke the old one.
- Use separate keys for different environments (CI vs. local development) so you can revoke one without affecting the other.