Managing API Keys

API keys are the primary method for machine-to-machine authentication with HolaCloud services. Each key consists of a UUID-based public identifier (Api-Key) and a UUID-based secret (Api-Secret). The secret is hashed with bcrypt and cannot be retrieved after creation.

Creating an API Key

Through the Console

  1. Log in to https://console.hola.cloud.
  2. Navigate to Settings > API Keys.
  3. Click Create API Key.
  4. Optionally set key scopes (projects and host rules).
  5. Click Create.
  6. Copy the Api-Key and Api-Secret immediately — the secret is shown only once.

Through the Serviceprojects API

API keys are managed by the serviceprojects API. Project creation is outside the current Glue2 API key documentation.

curl -X POST "https://api.hola.cloud/v0/apikeys" \
  -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "CI/CD Key",
    "scopes": [
      {
        "projects": ["project-123"],
        "host_rules": {"my-project.hola.cloud": "{}"}
      }
    ]
  }'
POST /v0/apikeys HTTP/1.1
Host: api.hola.cloud
X-Glue-Authentication: {"user":{"id":"user-1234"}}
Content-Type: application/json

{
    "name": "CI/CD Key",
    "scopes": [
      {
        "projects": ["project-123"],
        "host_rules": {"my-project.hola.cloud": "{}"}
      }
    ]
  }
package main

import (
	"fmt"
	"io"
	"net/http"
	"encoding/json"
	"strings"
)

func main() {
	payload := map[string]any{"name": "CI/CD Key", "scopes": []any{map[string]any{"host_rules": map[string]any{"my-project.hola.cloud": "{}"}, "projects": []any{"project-123"}}}}
	bodyBytes, err := json.Marshal(payload)
	if err != nil {
		panic(err)
	}
	body := string(bodyBytes)

	req, err := http.NewRequest("POST", "https://api.hola.cloud/v0/apikeys", strings.NewReader(body))
	if err != nil {
		panic(err)
	}
	req.Header.Set("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")
	req.Header.Set("Content-Type", "application/json")

	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()

	responseBody, err := io.ReadAll(resp.Body)
	if err != nil {
		panic(err)
	}
	fmt.Println(string(responseBody))
}
<?php
$payload = ['name' => 'CI/CD Key', 'scopes' => [['host_rules' => ['my-project.hola.cloud' => '{}'], 'projects' => ['project-123']]]];
$body = json_encode($payload);

$ch = curl_init();

curl_setopt_array($ch, [
    CURLOPT_URL => 'https://api.hola.cloud/v0/apikeys',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_CUSTOMREQUEST => 'POST',
    CURLOPT_POSTFIELDS => $body,
    CURLOPT_HTTPHEADER => [
        'X-Glue-Authentication: {"user":{"id":"user-1234"}}',
        'Content-Type: application/json',
    ],
]);

$response = curl_exec($ch);
if ($response === false) {
    throw new Exception(curl_error($ch));
}
curl_close($ch);

echo $response;
import requests

import json

headers = {
    "X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}",
    "Content-Type": "application/json",
}

payload = {"name": "CI/CD Key", "scopes": [{"host_rules": {"my-project.hola.cloud": "{}"}, "projects": ["project-123"]}]}
body = json.dumps(payload)

response = requests.request(
    "POST",
    "https://api.hola.cloud/v0/apikeys",
    headers=headers,
    data=body
)

print(response.text)
const payload = {"name": "CI/CD Key", "scopes": [{"host_rules": {"my-project.hola.cloud": "{}"}, "projects": ["project-123"]}]};

const response = await fetch("https://api.hola.cloud/v0/apikeys", {
  method: "POST",
  headers: {
    "X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}",
    "Content-Type": "application/json"
  },
  body: JSON.stringify(payload)
});

console.log(await response.text());
const payload = {"name": "CI/CD Key", "scopes": [{"host_rules": {"my-project.hola.cloud": "{}"}, "projects": ["project-123"]}]};

const response = await fetch("https://api.hola.cloud/v0/apikeys", {
  method: "POST",
  headers: {
    "X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}",
    "Content-Type": "application/json"
  },
  body: JSON.stringify(payload)
});

const text = await response.text();
console.log(text);
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.Map;
import java.util.List;

public class Main {
    public static void main(String[] args) throws Exception {
        var payload = Map.of("name", "CI/CD Key", "scopes", List.of(Map.of("host_rules", Map.of("my-project.hola.cloud", "{}"), "projects", List.of("project-123"))));
        var body = new ObjectMapper().writeValueAsString(payload);

        var request = HttpRequest.newBuilder()
            .uri(URI.create("https://api.hola.cloud/v0/apikeys"))
            .method("POST", HttpRequest.BodyPublishers.ofString(body))
            .header("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")
            .header("Content-Type", "application/json")
            .build();

        var response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
        System.out.println(response.body());
    }
}

Expected response:

 1{
 2  "key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
 3  "secret": "f0e1d2c3-b4a5-6789-0fed-cba987654321",
 4  "name": "CI/CD Key",
 5  "scopes": [
 6    {
 7      "projects": ["project-123"],
 8      "host_rules": {"my-project.hola.cloud": "{}"}
 9    }
10  ]
11}

Key Structure

  • Api-Key: UUID v4, acts as the public identifier for the key. Sent in the Api-Key header.
  • Api-Secret: UUID v4, acts as the secret. Sent in the Api-Secret header. Stored as a bcrypt hash — HolaCloud cannot recover it if lost.

Scoping

API keys can be restricted to:

Scope Field Example
Projects projects ["project-123"]
Host rules host_rules {"my-project.hola.cloud": "{}"}

Path and HTTP method scopes are not part of the current API key model.

Using an API Key

Once you have an Api-Key and Api-Secret, include them in all requests:

curl "https://my-project.hola.cloud/api/v0/lambdas" \
  -H "Api-Key: a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
  -H "Api-Secret: f0e1d2c3-b4a5-6789-0fed-cba987654321"
GET /api/v0/lambdas HTTP/1.1
Host: my-project.hola.cloud
Api-Key: a1b2c3d4-e5f6-7890-abcd-ef1234567890
Api-Secret: f0e1d2c3-b4a5-6789-0fed-cba987654321
package main

import (
	"fmt"
	"io"
	"net/http"
)

func main() {
	req, err := http.NewRequest("GET", "https://my-project.hola.cloud/api/v0/lambdas", nil)
	if err != nil {
		panic(err)
	}
	req.Header.Set("Api-Key", "a1b2c3d4-e5f6-7890-abcd-ef1234567890")
	req.Header.Set("Api-Secret", "f0e1d2c3-b4a5-6789-0fed-cba987654321")

	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()

	responseBody, err := io.ReadAll(resp.Body)
	if err != nil {
		panic(err)
	}
	fmt.Println(string(responseBody))
}
<?php
$ch = curl_init();

curl_setopt_array($ch, [
    CURLOPT_URL => 'https://my-project.hola.cloud/api/v0/lambdas',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_CUSTOMREQUEST => 'GET',
    CURLOPT_HTTPHEADER => [
        'Api-Key: a1b2c3d4-e5f6-7890-abcd-ef1234567890',
        'Api-Secret: f0e1d2c3-b4a5-6789-0fed-cba987654321',
    ],
]);

$response = curl_exec($ch);
if ($response === false) {
    throw new Exception(curl_error($ch));
}
curl_close($ch);

echo $response;
import requests

headers = {
    "Api-Key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "Api-Secret": "f0e1d2c3-b4a5-6789-0fed-cba987654321",
}

response = requests.request(
    "GET",
    "https://my-project.hola.cloud/api/v0/lambdas",
    headers=headers
)

print(response.text)
const response = await fetch("https://my-project.hola.cloud/api/v0/lambdas", {
  method: "GET",
  headers: {
    "Api-Key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "Api-Secret": "f0e1d2c3-b4a5-6789-0fed-cba987654321"
  }
});

console.log(await response.text());
const response = await fetch("https://my-project.hola.cloud/api/v0/lambdas", {
  method: "GET",
  headers: {
    "Api-Key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "Api-Secret": "f0e1d2c3-b4a5-6789-0fed-cba987654321"
  }
});

const text = await response.text();
console.log(text);
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
    public static void main(String[] args) throws Exception {
        var request = HttpRequest.newBuilder()
            .uri(URI.create("https://my-project.hola.cloud/api/v0/lambdas"))
            .method("GET", HttpRequest.BodyPublishers.noBody())
            .header("Api-Key", "a1b2c3d4-e5f6-7890-abcd-ef1234567890")
            .header("Api-Secret", "f0e1d2c3-b4a5-6789-0fed-cba987654321")
            .build();

        var response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
        System.out.println(response.body());
    }
}

Listing API Keys

curl "https://api.hola.cloud/v0/apikeys" \
  -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}"
GET /v0/apikeys HTTP/1.1
Host: api.hola.cloud
X-Glue-Authentication: {"user":{"id":"user-1234"}}
package main

import (
	"fmt"
	"io"
	"net/http"
)

func main() {
	req, err := http.NewRequest("GET", "https://api.hola.cloud/v0/apikeys", nil)
	if err != nil {
		panic(err)
	}
	req.Header.Set("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")

	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()

	responseBody, err := io.ReadAll(resp.Body)
	if err != nil {
		panic(err)
	}
	fmt.Println(string(responseBody))
}
<?php
$ch = curl_init();

curl_setopt_array($ch, [
    CURLOPT_URL => 'https://api.hola.cloud/v0/apikeys',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_CUSTOMREQUEST => 'GET',
    CURLOPT_HTTPHEADER => [
        'X-Glue-Authentication: {"user":{"id":"user-1234"}}',
    ],
]);

$response = curl_exec($ch);
if ($response === false) {
    throw new Exception(curl_error($ch));
}
curl_close($ch);

echo $response;
import requests

headers = {
    "X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}",
}

response = requests.request(
    "GET",
    "https://api.hola.cloud/v0/apikeys",
    headers=headers
)

print(response.text)
const response = await fetch("https://api.hola.cloud/v0/apikeys", {
  method: "GET",
  headers: {
    "X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}"
  }
});

console.log(await response.text());
const response = await fetch("https://api.hola.cloud/v0/apikeys", {
  method: "GET",
  headers: {
    "X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}"
  }
});

const text = await response.text();
console.log(text);
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
    public static void main(String[] args) throws Exception {
        var request = HttpRequest.newBuilder()
            .uri(URI.create("https://api.hola.cloud/v0/apikeys"))
            .method("GET", HttpRequest.BodyPublishers.noBody())
            .header("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")
            .build();

        var response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
        System.out.println(response.body());
    }
}
1{
2  "api_keys": [
3    {
4      "key": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
5      "name": "CI/CD Key",
6      "scopes": [{ "projects": ["project-123"], "host_rules": {"my-project.hola.cloud": "{}"} }]
7    }
8  ]
9}

Note: The api_secret is never returned in listing responses — it is only shown once at creation.

Revoking an API Key

curl -X DELETE "https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
  -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}"
DELETE /v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890 HTTP/1.1
Host: api.hola.cloud
X-Glue-Authentication: {"user":{"id":"user-1234"}}
package main

import (
	"fmt"
	"io"
	"net/http"
)

func main() {
	req, err := http.NewRequest("DELETE", "https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890", nil)
	if err != nil {
		panic(err)
	}
	req.Header.Set("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")

	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()

	responseBody, err := io.ReadAll(resp.Body)
	if err != nil {
		panic(err)
	}
	fmt.Println(string(responseBody))
}
<?php
$ch = curl_init();

curl_setopt_array($ch, [
    CURLOPT_URL => 'https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_CUSTOMREQUEST => 'DELETE',
    CURLOPT_HTTPHEADER => [
        'X-Glue-Authentication: {"user":{"id":"user-1234"}}',
    ],
]);

$response = curl_exec($ch);
if ($response === false) {
    throw new Exception(curl_error($ch));
}
curl_close($ch);

echo $response;
import requests

headers = {
    "X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}",
}

response = requests.request(
    "DELETE",
    "https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    headers=headers
)

print(response.text)
const response = await fetch("https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890", {
  method: "DELETE",
  headers: {
    "X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}"
  }
});

console.log(await response.text());
const response = await fetch("https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890", {
  method: "DELETE",
  headers: {
    "X-Glue-Authentication": "{\"user\":{\"id\":\"user-1234\"}}"
  }
});

const text = await response.text();
console.log(text);
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
    public static void main(String[] args) throws Exception {
        var request = HttpRequest.newBuilder()
            .uri(URI.create("https://api.hola.cloud/v0/apikeys/a1b2c3d4-e5f6-7890-abcd-ef1234567890"))
            .method("DELETE", HttpRequest.BodyPublishers.noBody())
            .header("X-Glue-Authentication", "{\"user\":{\"id\":\"user-1234\"}}")
            .build();

        var response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
        System.out.println(response.body());
    }
}

A successful revocation returns 200 OK. The key is immediately invalidated. Any subsequent requests using it will receive 401 Unauthorized.

Rotating an API Key

To rotate a key, create a new key pair with the same scopes, update your applications to use the new key, then revoke the old key.

 1# Step 1: Create a new key
 2curl -X POST "https://api.hola.cloud/v0/apikeys" \
 3  -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}" \
 4  -H "Content-Type: application/json" \
 5  -d '{"name":"Rotated key","scopes":[{"projects":["project-123"],"host_rules":{"my-project.hola.cloud":"{}"}}]}'
 6
 7# Step 2: Update your application with the new Api-Key and Api-Secret
 8
 9# Step 3: Delete the old key
10curl -X DELETE "https://api.hola.cloud/v0/apikeys/OLD_API_KEY" \
11  -H "X-Glue-Authentication: {\"user\":{\"id\":\"user-1234\"}}"

How Services Validate Keys

Backend services do not validate API keys directly. Instead, Glue2 performs validation using the glueauth package:

  1. Glue2 extracts the Api-Key and Api-Secret headers from the request.
  2. It looks up the key record by the Api-Key UUID in InceptionDB.
  3. It compares the provided Api-Secret against the stored bcrypt hash.
  4. It verifies that the request matches the key's project and host rules.
  5. If valid, it injects the JSON X-Glue-Authentication header and forwards the request.
  6. If invalid, it returns 401 Unauthorized with an error message.

The backend service trusts the X-Glue-Authentication header and uses it for authorization decisions. It never needs to validate the original API key itself.

Security Recommendations

  • Treat Api-Secret like a password: Never log it, commit it to version control, or share it in insecure channels.
  • Use short-lived keys: Consider rotating keys every 90 days.
  • Scope restrictively: Start with the narrowest scopes and expand only as needed.
  • Monitor usage: Use the /v0/stats endpoint to monitor API key usage patterns.
  • Audit keys regularly: Delete unused keys to reduce the attack surface.

Comments

Leave a comment