Authorization header
with a Bearer token issued from the dashboard. There’s no OAuth flow,
no per-request signing — just one header, one key.
Where to get a key
verseodin.com/dashboard/settings/api-keys → Generate key. The plaintext key is shown exactly once in the modal. Copy it, store it somewhere your app can read it (env var, secrets manager), then dismiss the modal. If you lose it, revoke and generate a new one — there’s no way to recover the original.One key, two surfaces
The samevso_… key authorises:
- The REST API documented here (
https://verseodin.com/api/v1/*) - The Verseodin Claude / MCP connector
What the key authorises
A key is bound to the user who generated it. It can read:- Every universe owned by that user
- Every history row, prompt, metric belonging to those universes
- Modify any data (the API is GET-only)
- Read other users’ universes (each request goes through ownership verification)
- Issue new keys, change account settings, or do anything outside the data-read scope
Key rotation playbook
If you suspect a key is leaked (committed to git, leaked in logs, copy-pasted into a chat):
The order matters — revoke the old key only after every consumer is on the new one, otherwise you’ll see traffic fail in between.
Failure modes
| Scenario | Response |
|---|---|
Missing Authorization header | 401 authentication_error — “Missing or malformed Authorization header.” |
Header present but doesn’t start with Bearer | 401 authentication_error |
| Key not in our table (typo, fake key) | 401 authentication_error — “invalid or missing api key” |
| Key was revoked | 401 authentication_error |
| Key exists and is valid → owns the universe | 200 (assuming filters are valid) |
| Key exists and is valid but doesn’t own the requested universe | 403 permission_error — “access denied: this universe does not belong to your account” |