Authentication
API access to the gateway and core services uses service keys. End-user authentication (login, registration) is handled separately via the main site and is not covered in this doc.
Service keys
Each service has one or more API keys. Use a key to:
- Invoke the service via the gateway (
Authorization: Bearer <serviceKey>) - Validate the key via the core service (
POST .../service-keys/validate) to get user, plan, quota, subscription state, and optional billing metadata — the same snapshot the gateway puts inX-Tollara-*headers on proxied invokes
Keys are created in the dashboard; the full key value is shown only once. Store it securely (e.g. environment variable or secrets manager).
Service secret (for backends)
When your service acts as an service backend, the gateway forwards requests to you with HMAC-signed headers. You need the service secret (distinct from the public service key) to verify the signature and to sign outbound calls (e.g. usage report, progress, completion). The secret is available in the service configuration for the owner.
See Request signing (HMAC) for how verification works.
Scopes and roles
The platform uses roles (e.g. USER, DEVELOPER, ADMIN) for dashboard and API access. When you validate a service key, the response includes the user's plan and roles so you can enforce quotas or feature access. Details are in the Core API (validation response).