Key types
| Key type | Prefix | Send as | Use for | Do not use for |
|---|---|---|---|---|
| Agent SDK key | pv_live_* | X-Pylva-Key | Live agent and app runtimes that send telemetry, sync rules, fetch pricing, and reconcile budgets. | Dashboard/admin mutations or import jobs. |
| Admin API key | pv_live_* | X-Pylva-Key | Server-side automation that manages project settings such as custom pricing and admin mutations. | Frontend code, SDK telemetry, or bulk import jobs. |
| Data import key | pv_cli_* | Authorization: Bearer $PYLVA_CLI_KEY | CLI/import jobs, currently including cost-source import through POST /api/v1/cost-sources. | SDK telemetry or admin mutations. |
Endpoint families
Agent SDK keys cover the SDK-facing API: Admin API keys cover elevated server-side management: Data import keys cover import/CLI jobs:Permission model
Key prefixes identify the key format, but they do not fully describe permissions. Both Agent SDK keys and Admin API keys use thepv_live_* prefix. Pylva checks the key type/scope on every request and returns 403 WRONG_SCOPE when a valid key is used with the wrong endpoint family.
Recommended environment variables:
| Key type | Environment variable |
|---|---|
| Agent SDK key | PYLVA_API_KEY |
| Admin API key | PYLVA_ADMIN_API_KEY |
| Data import key | PYLVA_CLI_KEY |
Security
- Store every key in a backend secret store.
- Never expose Pylva keys in browser code, mobile apps, prompts, completions, logs, or telemetry metadata.
- The plaintext key is shown once when created.
- Pylva stores one-way verification hashes for API keys, not the plaintext key.
- Rotate or revoke a key from Settings -> API keys if it is exposed.
- Create Admin API keys sparingly because they can mutate elevated project settings.