How to authenticate with the Revvvs API.
Authentication
All API requests to Revvvs are authenticated using API keys. Each API key is scoped to a single operator and has full access to that operator's data.
API Keys
API keys are created from your Revvvs admin console under Settings > API Keys.
When you create a key, the full key is shown once. Save it immediately. It cannot be retrieved again. If you lose a key, deactivate it and create a new one.
API keys use the format: rv_ followed by 64 hexadecimal characters.
rv_34e0fc35cd0721a6253bb3241ef1ce4ae41af38951f6c03ba9885bd5229989c9
Sending authenticated requests
Include your API key in the X-API-Key header on every request:
curl -X POST https://revvvs.com/api/v1/events \
-H "Content-Type: application/json" \
-H "X-API-Key: rv_your_api_key_here" \
-d '{ ... }'
Key management
| Action | How |
|---|---|
| Create a key | Admin console > Settings > API Keys > Create |
| Deactivate a key | Admin console > Settings > API Keys > toggle off |
| Rotate a key | Create a new key, update your integration, then deactivate the old key |
Rate limits
The events API is rate-limited to 1,000 requests per minute per API key. If you exceed this, you'll receive a 429 Too Many Requests response.
The X-RateLimit-Remaining header on every response tells you how many requests you have left in the current window.
For batch event ingestion (up to 100 events per request), you can process up to 100,000 events per minute within the rate limit.
Security best practices
- Store API keys in environment variables or a secrets manager, never in source code
- Use different keys for staging and production
- Rotate keys periodically (every 90 days is a reasonable cadence)
- Deactivate keys immediately if compromised
- Restrict network access to your API key if your infrastructure supports IP allowlisting (contact us for IP-restricted keys)