Skip to content
RVO Documentation

Authentication

All requests to RVO must be authenticated using an API key.

Authentication is explicit, deterministic, and enforced on every request. There is no session-based authentication, no IP-based trust, and no implicit access.

Authentication method

Section titled “Authentication method”

RVO authenticates requests using a single HTTP header:

X-API-KEY: your_api_key_here

This header must be included with every RPC request.

Requests that are missing the header, contain an invalid key, or reference a revoked key are rejected immediately.

What authentication controls

Section titled “What authentication controls”

The API key determines:

  • Whether the request is accepted
  • Which plan limits apply
  • How usage is counted
  • How rate limits are enforced
  • How errors are attributed

RVO does not use:

  • Bearer tokens
  • OAuth flows
  • Cookies or sessions
  • IP-based identification

Only the API key defines request identity and behavior.

Example authenticated request

Section titled “Example authenticated request”

Example JSON-RPC request using curl:

Terminal window
curl -X POST https://solana-mainnet.rvo.network \
  -H "Content-Type: application/json" \
  -H "X-API-KEY: YOUR_API_KEY" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "getHealth"
  }'

If authentication succeeds, the request is processed normally. If authentication fails, an error response is returned immediately.

Authentication failures

Section titled “Authentication failures”

Authentication can fail for the following reasons:

  • Missing X-API-KEY header
  • Invalid or malformed API key
  • Revoked API key
  • API key not associated with an active plan

Authentication errors are returned deterministically and do not consume request quota.

For details on error responses and status codes, see Errors & Retries.

Security considerations

Section titled “Security considerations”
  • Treat API keys as secrets
  • Do not embed keys in client-side applications
  • Store keys using environment variables or secret managers
  • Use separate keys for different environments and services

RVO does not support scoped or partially privileged keys. Access control is enforced exclusively through key isolation and limits.

What’s next

Section titled “What’s next”

To understand how authenticated requests are limited and counted, continue with:

  • API Keys – managing, rotating, and revoking keys
  • Limits & Quotas – how rate limits are enforced
  • Errors & Retries – handling authentication failures correctly