Mint a key
- Sign in to
/console/settings/api-keysas a workspace admin. - Click Mint new key, name it (e.g.
ci-pipeline), pick the scopes it needs. - Copy the secret immediately — it is shown exactly once.
Scopes
Scopes are namespaced<surface>:<action>. Common ones:
| Scope | Meaning |
|---|---|
workspace:read | Read workspace + member listings |
workspace:audit | Read tenant audit log |
workspace:billing | Read invoices, manage portal session |
workspace:members | Invite / remove / role-change members |
workspace:admin | Full admin parity (use sparingly) |
apps:read, apps:write | Read / publish tenant apps |
submissions:read, submissions:reveal | Read submissions; reveal masked fields |
Signing requests
The CLI / SDK sign requests with HMAC-SHA256 over a canonical string:| Header | Value |
|---|---|
Authorization | Bearer <key-id> |
X-Gavai-Signature | v1=<hex(hmac_sha256(secret, canonical_string))> |
X-Gavai-Timestamp | The same unix-timestamp used in canonical_string |
Sample (Node)
Sample (Python)
Verification on the server side
gavAI rejects requests where:- The timestamp is more than 5 minutes off the server clock (replay protection).
- The HMAC computed over the canonical string does not match.
- The
key_idis revoked or the scope does not cover the requested action.
Rotation
When a key needs rotating:- Mint a new key with the same scopes.
- Roll over the key in your secret store / config.
- Revoke the old key from
/console/settings/api-keys.
Audit trail
Each mint, revoke, and authenticated request is recorded in the tenant audit log (/console/activity). Use this to spot keys that aren’t doing what you expect.