Documentation Console
eneszh
Log In Start now
Inceptiondb
Quick Start Guide with InceptionDB
Managing Collections
Working with Data
InceptionDB API Reference
Create Collection
Create Database
Document Operations
Drop Database
Get Database
List Collections
List Databases
Update Database
Lambda
Getting Started with Lambda
Managing Lambda Functions
Invoking Lambda Functions
Lambda API Reference
Create Lambda
Delete Lambda
Get Lambda
List Lambdas
Modify Lambda
Mux Router
Run Lambda (Admin)
Run Lambda (Public)
Files
Getting Started
Managing Buckets
Working With Files
Files API Reference
Create Bucket
Delete Bucket
Delete File
Download File
File Headers
Get Bucket
List Buckets
List Files
Modify Bucket
Upload File
Config
Getting Started
Managing Configs
Config API Reference
Create Config
Delete Config
Get Config
Get User Config
List Configs
Patch Config
Update User Config
InstantLogs
Getting Started
Ingesting Logs
Streaming and Filtering
InstantLogs API Reference
Create Logger
Create Logger API Key
Delete Logger
Delete Logger API Key
Filter Logs
Get Logger
Ingest Framed Events
Ingest Logs
List Loggers
Logger Stats
Stream Events
Tailon Queues
Getting Started
Managing Queues
Producing and Consuming
Tailon API Reference
Create Queue
Delete Queue
Get Queue
List Clients
List Queues
Read Messages
Write Messages
Scheduler
Getting Started
Managing Schedulers
Task Lifecycle
Scheduler API Reference
Acknowledge Task
Create Scheduler
Delete Scheduler
Enqueue Task
Extend Lease
Get Scheduler
List Schedulers
List Tasks
Patch Scheduler
Reschedule Task
Reserve Task
Scheduler Health
Task Stream
Update Scheduler
Kvnode
Getting Started
Collections And Keys
Replication
KVNode API Reference
Create Collection
Delete Collection
Delete Key
Get Key
Health Check
List Collections
List Keys
Node Metrics
Node Status
Readiness Check
Set Key
SDK Reference
Console
Getting Started with the Console
Managing Projects and Services
Console API Reference
Fake API
Get Version
Glue2
Architecture & Routing
Authentication
Managing API Keys
Glue2 API Reference
Backend Status
Get Version
List Virtualhosts
Openapi Spec
Traffic Stats
Holamail
Sending Email
Holamail API Reference
SMTP Reference
Run
Getting Started
Run API Reference
Console Data
Docker Registry
Get Version
Rollback Image
Save Environment
Save Volumes
Start Repository
Stop Repository

Managing API Keys

API keys are the primary method for machine-to-machine authentication with HolaCloud services. Each key consists of a UUID-based public identifier (Api-Key) and a UUID-based secret (Api-Secret). The secret is hashed with bcrypt and cannot be retrieved after creation.

Creating an API Key

Through the Console

  1. Log in to https://console.hola.cloud.
  2. Navigate to Settings > API Keys.
  3. Click Create API Key.
  4. Optionally set key scopes (projects and host rules).
  5. Click Create.
  6. Copy the Api-Key and Api-Secret immediately — the secret is shown only once.

Through the Serviceprojects API

API keys are managed by the serviceprojects API. Project creation is outside the current Glue2 API key documentation.

 1curl -X POST "https://api.hola.cloud/v0/apikeys" \
 2  -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}" \
 3  -H "Content-Type: application/json" \
 4  -d '{
 5    "name": "CI/CD Key",
 6    "scopes": [
 7      {
 8        "projects": ["project-123"],
 9        "host_rules": {"my-project.hola.cloud": "{}"}
10      }
11    ]
12  }'

Expected response:

 1{
 2  "key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
 3  "secret": "f0e1d2c3-b4a5-6789-0fed-cba987654321",
 4  "name": "CI/CD Key",
 5  "scopes": [
 6    {
 7      "projects": ["project-123"],
 8      "host_rules": {"my-project.hola.cloud": "{}"}
 9    }
10  ]
11}

Key Structure

  • Api-Key: UUID v4, acts as the public identifier for the key. Sent in the Api-Key header.
  • Api-Secret: UUID v4, acts as the secret. Sent in the Api-Secret header. Stored as a bcrypt hash — HolaCloud cannot recover it if lost.

Scoping

API keys can be restricted to:

Scope Field Example
Projects projects ["project-123"]
Host rules host_rules {"my-project.hola.cloud": "{}"}

Path and HTTP method scopes are not part of the current API key model.

Using an API Key

Once you have an Api-Key and Api-Secret, include them in all requests:

1curl "https://my-project.hola.cloud/api/v0/lambdas" \
2  -H "Api-Key: a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
3  -H "Api-Secret: f0e1d2c3-b4a5-6789-0fed-cba987654321"

Listing API Keys

1curl "https://api.hola.cloud/v0/apikeys" \
2  -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}"

1{
2  "api_keys": [
3    {
4      "key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
5      "name": "CI/CD Key",
6      "scopes": [{ "projects": ["project-123"], "host_rules": {"my-project.hola.cloud": "{}"} }]
7    }
8  ]
9}

Note: The api_secret is never returned in listing responses — it is only shown once at creation.

Revoking an API Key

1curl -X DELETE "https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
2  -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}"

A successful revocation returns 200 OK. The key is immediately invalidated. Any subsequent requests using it will receive 401 Unauthorized.

Rotating an API Key

To rotate a key, create a new key pair with the same scopes, update your applications to use the new key, then revoke the old key.

 1# Step 1: Create a new key
 2curl -X POST "https://api.hola.cloud/v0/apikeys" \
 3  -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}" \
 4  -H "Content-Type: application/json" \
 5  -d '{"name":"Rotated key","scopes":[{"projects":["project-123"],"host_rules":{"my-project.hola.cloud":"{}"}}]}'
 6
 7# Step 2: Update your application with the new Api-Key and Api-Secret
 8
 9# Step 3: Delete the old key
10curl -X DELETE "https://api.hola.cloud/v0/apikeys/OLD_API_KEY" \
11  -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}"

How Services Validate Keys

Backend services do not validate API keys directly. Instead, Glue2 performs validation using the glueauth package:

  1. Glue2 extracts the Api-Key and Api-Secret headers from the request.
  2. It looks up the key record by the Api-Key UUID in InceptionDB.
  3. It compares the provided Api-Secret against the stored bcrypt hash.
  4. It verifies that the request matches the key's project and host rules.
  5. If valid, it injects the JSON X-Glue-Authentication header and forwards the request.
  6. If invalid, it returns 401 Unauthorized with an error message.

The backend service trusts the X-Glue-Authentication header and uses it for authorization decisions. It never needs to validate the original API key itself.

Security Recommendations

  • Treat Api-Secret like a password: Never log it, commit it to version control, or share it in insecure channels.
  • Use short-lived keys: Consider rotating keys every 90 days.
  • Scope restrictively: Start with the narrowest scopes and expand only as needed.
  • Monitor usage: Use the /v0/stats endpoint to monitor API key usage patterns.
  • Audit keys regularly: Delete unused keys to reduce the attack surface.

Comments

Leave a comment

Creating an API Key
Through the Console
Through the Serviceprojects API
Key Structure
Scoping
Using an API Key
Listing API Keys
Revoking an API Key
Rotating an API Key
How Services Validate Keys
Security Recommendations

Enterprise cloud software built for regulated and high-growth teams.

Solutions

Resources

Contact

© 2025 hola.cloud All rights reserved.