Run a free scan

Authentication

Recovea authenticates with API keys passed as a Bearer token, exactly like OpenAI. Your app sends a Recovea key (rcv_live_…), not your provider key. Recovea resolves it to your tenant and signs the upstream call with your own provider credential, pass-through.

The Authorization header

Every request carries:

Authorization: Bearer rcv_live_…

There is no query-parameter or request-body auth: header only.

from openai import OpenAI

client = OpenAI(
    base_url="https://api.recovea.ai/v1",
    api_key="rcv_live_…",
)

Key types

PrefixEnvironmentUse
rcv_live_LiveProduction traffic, billed and metered
rcv_test_TestNon-production; a leaked test key can never touch prod spend

Keys are scoped per project, generated and managed in the dashboard. The full secret is shown exactly once at creation, so store it in your secret manager immediately; only a rcv_live_8t…f3a2 prefix is shown afterward.

Two kinds of key, never confused. The rcv_ key is what your app sends to Recovea. Your provider key (OpenAI / Anthropic / OpenRouter) is pasted into the dashboard once, encrypted at rest with AES-256-GCM (customer-managed KMS envelopes are planned), and used pass-through. Recovea never holds your spend and never commingles keys across tenants.

Rotating and revoking

  • Rotate to roll a new secret with an optional grace window where the old key still works, for a zero-downtime cutover.
  • Revoke to kill a key immediately. A revoked key can't be un-revoked; create a new one.
  • The Last used column in the dashboard is your leak signal: an unexpected hit on a key you thought was idle is how a leak shows itself.

Every create / rotate / revoke is written to your append-only audit log.

Errors

A missing or incorrect key returns HTTP 401 with the standard OpenAI error envelope, so your SDK raises its normal AuthenticationError:

{
  "error": {
    "message": "Incorrect Recovea API key provided. View and manage your keys at https://dashboard.recovea.ai …",
    "type": "invalid_request_error",
    "param": null,
    "code": "invalid_api_key"
  }
}

See Errors for the full status-code and envelope reference.

Keep keys safe

  • Never hard-code a key in source. Read it from an environment variable (RECOVEA_API_KEY).
  • Never expose a rcv_live_ key in a browser or mobile client.
  • Use a separate rcv_test_ key for CI and staging.