Managing API Keys
API keys are the primary method for machine-to-machine authentication with HolaCloud services. Each key consists of a UUID-based public identifier (Api-Key) and a UUID-based secret (Api-Secret). The secret is hashed with bcrypt and cannot be retrieved after creation.
Creating an API Key
Through the Console
- Log in to https://console.hola.cloud.
- Navigate to Settings > API Keys.
- Click Create API Key.
- Optionally set key scopes (projects and host rules).
- Click Create.
- Copy the Api-Key and Api-Secret immediately — the secret is shown only once.
Through the Serviceprojects API
API keys are managed by the serviceprojects API. Project creation is outside the current Glue2 API key documentation.
curl -X POST "https://api.hola.cloud/v0/apikeys" \
-H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}" \
-H "Content-Type: application/json" \
-d '{
"name": "CI/CD Key",
"scopes": [
{
"projects": ["project-123"],
"host_rules": {"my-project.hola.cloud": "{}"}
}
]
}'POST /v0/apikeys HTTP/1.1
Host: api.hola.cloud
X-Glue-Authentication: {"user":{"id":"user-1234"}}
Content-Type: application/json
{
"name": "CI/CD Key",
"scopes": [
{
"projects": ["project-123"],
"host_rules": {"my-project.hola.cloud": "{}"}
}
]
}package main
import (
"fmt"
"io"
"net/http"
"encoding/json"
"strings"
)
func main() {
payload := map[string]any{"name": "CI/CD Key", "scopes": []any{map[string]any{"host_rules": map[string]any{"my-project.hola.cloud": "{}"}, "projects": []any{"project-123"}}}}
bodyBytes, err := json.Marshal(payload)
if err != nil {
panic(err)
}
body := string(bodyBytes)
req, err := http.NewRequest("POST", "https://api.hola.cloud/v0/apikeys", strings.NewReader(body))
if err != nil {
panic(err)
}
req.Header.Set("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")
req.Header.Set("Content-Type", "application/json")
resp, err := http.DefaultClient.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
responseBody, err := io.ReadAll(resp.Body)
if err != nil {
panic(err)
}
fmt.Println(string(responseBody))
}
<?php
$payload = ['name' => 'CI/CD Key', 'scopes' => [['host_rules' => ['my-project.hola.cloud' => '{}'], 'projects' => ['project-123']]]];
$body = json_encode($payload);
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => 'https://api.hola.cloud/v0/apikeys',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => $body,
CURLOPT_HTTPHEADER => [
'X-Glue-Authentication: {"user":{"id":"user-1234"}}',
'Content-Type: application/json',
],
]);
$response = curl_exec($ch);
if ($response === false) {
throw new Exception(curl_error($ch));
}
curl_close($ch);
echo $response;
import requests
import json
headers = {
"X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}",
"Content-Type": "application/json",
}
payload = {"name": "CI/CD Key", "scopes": [{"host_rules": {"my-project.hola.cloud": "{}"}, "projects": ["project-123"]}]}
body = json.dumps(payload)
response = requests.request(
"POST",
"https://api.hola.cloud/v0/apikeys",
headers=headers,
data=body
)
print(response.text)
const payload = {"name": "CI/CD Key", "scopes": [{"host_rules": {"my-project.hola.cloud": "{}"}, "projects": ["project-123"]}]};
const response = await fetch("https://api.hola.cloud/v0/apikeys", {
method: "POST",
headers: {
"X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}",
"Content-Type": "application/json"
},
body: JSON.stringify(payload)
});
console.log(await response.text());
const payload = {"name": "CI/CD Key", "scopes": [{"host_rules": {"my-project.hola.cloud": "{}"}, "projects": ["project-123"]}]};
const response = await fetch("https://api.hola.cloud/v0/apikeys", {
method: "POST",
headers: {
"X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}",
"Content-Type": "application/json"
},
body: JSON.stringify(payload)
});
const text = await response.text();
console.log(text);
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.Map;
import java.util.List;
public class Main {
public static void main(String[] args) throws Exception {
var payload = Map.of("name", "CI/CD Key", "scopes", List.of(Map.of("host_rules", Map.of("my-project.hola.cloud", "{}"), "projects", List.of("project-123"))));
var body = new ObjectMapper().writeValueAsString(payload);
var request = HttpRequest.newBuilder()
.uri(URI.create("https://api.hola.cloud/v0/apikeys"))
.method("POST", HttpRequest.BodyPublishers.ofString(body))
.header("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")
.header("Content-Type", "application/json")
.build();
var response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}Expected response:
1{
2 "key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
3 "secret": "f0e1d2c3-b4a5-6789-0fed-cba987654321",
4 "name": "CI/CD Key",
5 "scopes": [
6 {
7 "projects": ["project-123"],
8 "host_rules": {"my-project.hola.cloud": "{}"}
9 }
10 ]
11}
Key Structure
- Api-Key: UUID v4, acts as the public identifier for the key. Sent in the
Api-Keyheader. - Api-Secret: UUID v4, acts as the secret. Sent in the
Api-Secretheader. Stored as a bcrypt hash — HolaCloud cannot recover it if lost.
Scoping
API keys can be restricted to:
| Scope | Field | Example |
|---|---|---|
| Projects | projects |
["project-123"] |
| Host rules | host_rules |
{"my-project.hola.cloud": "{}"} |
Path and HTTP method scopes are not part of the current API key model.
Using an API Key
Once you have an Api-Key and Api-Secret, include them in all requests:
curl "https://my-project.hola.cloud/api/v0/lambdas" \
-H "Api-Key: a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
-H "Api-Secret: f0e1d2c3-b4a5-6789-0fed-cba987654321"GET /api/v0/lambdas HTTP/1.1
Host: my-project.hola.cloud
Api-Key: a1b2c3d4-e5f6-7890-abcd-ef1234567890
Api-Secret: f0e1d2c3-b4a5-6789-0fed-cba987654321
package main
import (
"fmt"
"io"
"net/http"
)
func main() {
req, err := http.NewRequest("GET", "https://my-project.hola.cloud/api/v0/lambdas", nil)
if err != nil {
panic(err)
}
req.Header.Set("Api-Key", "a1b2c3d4-e5f6-7890-abcd-ef1234567890")
req.Header.Set("Api-Secret", "f0e1d2c3-b4a5-6789-0fed-cba987654321")
resp, err := http.DefaultClient.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
responseBody, err := io.ReadAll(resp.Body)
if err != nil {
panic(err)
}
fmt.Println(string(responseBody))
}
<?php
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => 'https://my-project.hola.cloud/api/v0/lambdas',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CUSTOMREQUEST => 'GET',
CURLOPT_HTTPHEADER => [
'Api-Key: a1b2c3d4-e5f6-7890-abcd-ef1234567890',
'Api-Secret: f0e1d2c3-b4a5-6789-0fed-cba987654321',
],
]);
$response = curl_exec($ch);
if ($response === false) {
throw new Exception(curl_error($ch));
}
curl_close($ch);
echo $response;
import requests
headers = {
"Api-Key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"Api-Secret": "f0e1d2c3-b4a5-6789-0fed-cba987654321",
}
response = requests.request(
"GET",
"https://my-project.hola.cloud/api/v0/lambdas",
headers=headers
)
print(response.text)
const response = await fetch("https://my-project.hola.cloud/api/v0/lambdas", {
method: "GET",
headers: {
"Api-Key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"Api-Secret": "f0e1d2c3-b4a5-6789-0fed-cba987654321"
}
});
console.log(await response.text());
const response = await fetch("https://my-project.hola.cloud/api/v0/lambdas", {
method: "GET",
headers: {
"Api-Key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"Api-Secret": "f0e1d2c3-b4a5-6789-0fed-cba987654321"
}
});
const text = await response.text();
console.log(text);
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
public class Main {
public static void main(String[] args) throws Exception {
var request = HttpRequest.newBuilder()
.uri(URI.create("https://my-project.hola.cloud/api/v0/lambdas"))
.method("GET", HttpRequest.BodyPublishers.noBody())
.header("Api-Key", "a1b2c3d4-e5f6-7890-abcd-ef1234567890")
.header("Api-Secret", "f0e1d2c3-b4a5-6789-0fed-cba987654321")
.build();
var response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}Listing API Keys
curl "https://api.hola.cloud/v0/apikeys" \
-H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}"GET /v0/apikeys HTTP/1.1
Host: api.hola.cloud
X-Glue-Authentication: {"user":{"id":"user-1234"}}
package main
import (
"fmt"
"io"
"net/http"
)
func main() {
req, err := http.NewRequest("GET", "https://api.hola.cloud/v0/apikeys", nil)
if err != nil {
panic(err)
}
req.Header.Set("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")
resp, err := http.DefaultClient.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
responseBody, err := io.ReadAll(resp.Body)
if err != nil {
panic(err)
}
fmt.Println(string(responseBody))
}
<?php
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => 'https://api.hola.cloud/v0/apikeys',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CUSTOMREQUEST => 'GET',
CURLOPT_HTTPHEADER => [
'X-Glue-Authentication: {"user":{"id":"user-1234"}}',
],
]);
$response = curl_exec($ch);
if ($response === false) {
throw new Exception(curl_error($ch));
}
curl_close($ch);
echo $response;
import requests
headers = {
"X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}",
}
response = requests.request(
"GET",
"https://api.hola.cloud/v0/apikeys",
headers=headers
)
print(response.text)
const response = await fetch("https://api.hola.cloud/v0/apikeys", {
method: "GET",
headers: {
"X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}"
}
});
console.log(await response.text());
const response = await fetch("https://api.hola.cloud/v0/apikeys", {
method: "GET",
headers: {
"X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}"
}
});
const text = await response.text();
console.log(text);
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
public class Main {
public static void main(String[] args) throws Exception {
var request = HttpRequest.newBuilder()
.uri(URI.create("https://api.hola.cloud/v0/apikeys"))
.method("GET", HttpRequest.BodyPublishers.noBody())
.header("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")
.build();
var response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}1{
2 "api_keys": [
3 {
4 "key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
5 "name": "CI/CD Key",
6 "scopes": [{ "projects": ["project-123"], "host_rules": {"my-project.hola.cloud": "{}"} }]
7 }
8 ]
9}
Note: The api_secret is never returned in listing responses — it is only shown once at creation.
Revoking an API Key
curl -X DELETE "https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
-H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}"DELETE /v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890 HTTP/1.1
Host: api.hola.cloud
X-Glue-Authentication: {"user":{"id":"user-1234"}}
package main
import (
"fmt"
"io"
"net/http"
)
func main() {
req, err := http.NewRequest("DELETE", "https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890", nil)
if err != nil {
panic(err)
}
req.Header.Set("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")
resp, err := http.DefaultClient.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
responseBody, err := io.ReadAll(resp.Body)
if err != nil {
panic(err)
}
fmt.Println(string(responseBody))
}
<?php
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => 'https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CUSTOMREQUEST => 'DELETE',
CURLOPT_HTTPHEADER => [
'X-Glue-Authentication: {"user":{"id":"user-1234"}}',
],
]);
$response = curl_exec($ch);
if ($response === false) {
throw new Exception(curl_error($ch));
}
curl_close($ch);
echo $response;
import requests
headers = {
"X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}",
}
response = requests.request(
"DELETE",
"https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890",
headers=headers
)
print(response.text)
const response = await fetch("https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890", {
method: "DELETE",
headers: {
"X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}"
}
});
console.log(await response.text());
const response = await fetch("https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890", {
method: "DELETE",
headers: {
"X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}"
}
});
const text = await response.text();
console.log(text);
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
public class Main {
public static void main(String[] args) throws Exception {
var request = HttpRequest.newBuilder()
.uri(URI.create("https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890"))
.method("DELETE", HttpRequest.BodyPublishers.noBody())
.header("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")
.build();
var response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}A successful revocation returns 200 OK. The key is immediately invalidated. Any subsequent requests using it will receive 401 Unauthorized.
Rotating an API Key
To rotate a key, create a new key pair with the same scopes, update your applications to use the new key, then revoke the old key.
1# Step 1: Create a new key
2curl -X POST "https://api.hola.cloud/v0/apikeys" \
3 -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}" \
4 -H "Content-Type: application/json" \
5 -d '{"name":"Rotated key","scopes":[{"projects":["project-123"],"host_rules":{"my-project.hola.cloud":"{}"}}]}'
6
7# Step 2: Update your application with the new Api-Key and Api-Secret
8
9# Step 3: Delete the old key
10curl -X DELETE "https://api.hola.cloud/v0/apikeys/OLD_API_KEY" \
11 -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}"
How Services Validate Keys
Backend services do not validate API keys directly. Instead, Glue2 performs validation using the glueauth package:
- Glue2 extracts the
Api-KeyandApi-Secretheaders from the request. - It looks up the key record by the Api-Key UUID in InceptionDB.
- It compares the provided Api-Secret against the stored bcrypt hash.
- It verifies that the request matches the key's project and host rules.
- If valid, it injects the JSON
X-Glue-Authenticationheader and forwards the request. - If invalid, it returns
401 Unauthorizedwith an error message.
The backend service trusts the X-Glue-Authentication header and uses it for authorization decisions. It never needs to validate the original API key itself.
Security Recommendations
- Treat Api-Secret like a password: Never log it, commit it to version control, or share it in insecure channels.
- Use short-lived keys: Consider rotating keys every 90 days.
- Scope restrictively: Start with the narrowest scopes and expand only as needed.
- Monitor usage: Use the
/v0/statsendpoint to monitor API key usage patterns. - Audit keys regularly: Delete unused keys to reduce the attack surface.
Comments