API Reference
How interactive sign-in, workspace setup, and API keys work in the current product.
Authentication
Souma has two separate access paths:
- Interactive product access through the homepage drawer
- Programmatic API access through API keys
Interactive access
- Create New Workspace provisions a new team environment
- Login gets existing users back into the dashboard
- verified users land in the dashboard and can then create API keys
API keys
Generate API keys from **Dashboard > Integration > API Keys** or visit your Souma Dashboard.
Available scopes
| Scope | Use case |
|---|---|
provenance:read | Read provenance-related records |
provenance:write | Write provenance-related records |
validation:read | Read validation results |
validation:write | Submit validation jobs |
Using your key
Include your API key in the Authorization header of every request:
curl -H "Authorization: Bearer sk_live_xxxxxxxxxxxxx" \
http://localhost:3000/api/validateClient versus server usage
- Server-side use API keys directly
- Dashboard client code can use Souma's authenticated fetch helpers and session state
- do not expose raw production keys in browser bundles
Key rotation
We recommend rotating your API keys periodically:
- Generate a new key from the dashboard
- Update your environment variables
- Verify the new key works
- Revoke the old key
Security best practices
- Store API keys in environment variables, never in source code
- Rotate keys regularly and after any potential exposure
- Use the principle of least privilege when creating keys
- Keep separate keys per environment or service
- Revoke old keys immediately after migration