Authentication - YALG Developer Docs

The public /v1 API uses API keys in the x-api-key header. Send the full API key in the x-api-key header:

x-api-key: yalg_live_PUBLIC_ID.SECRET

Key format

YALG keys use this format:

yalg_live_<publicId>.<secret>

The full value is shown once when the key is created. YALG stores the public id, prefix, last four characters, status, timestamps, and an HMAC/SHA-256 hash of the secret.

API keys are shown once. Store them in a server-side secret manager or environment variable, and never expose them in client-side code.

Server-side only

API keys should be used from trusted server environments:

backend services
serverless functions
workers and queues
internal automation scripts
secure CI jobs

Do not use API keys from:

browser code
public mobile apps
static websites
client-side extensions
public example repositories

Revoked keys

Revoked keys stop authenticating immediately. A request with a revoked, missing, or malformed key returns 401 Unauthorized.

Bearer auth

Bearer auth may appear in the OpenAPI security model for internal testing. Public integrations should use x-api-key.

⌘I

​Key format

​Server-side only

​Revoked keys

​Bearer auth

Key format

Server-side only

Revoked keys

Bearer auth