Authentication
The public Corvo API uses Bearer API keys. Keys resolve to a user and organization, and every shipment you create belongs to that organization.
Bearer token
Pass your API key in the Authorization header as a Bearer token.
curl https://corvo.to/api/v1/shipments \
-H "Authorization: Bearer $CORVO_API_KEY"Key prefixes reflect environment
Corvo chooses the prefix when the key is created. You do not create separate test and live keys inside the same environment.
Prefix reference
| Name | Type | Required | Description |
|---|---|---|---|
| sk_test_ | string | No | Prefix used outside production. Local development and non-production deployments generate keys with this prefix. |
| sk_live_ | string | No | Prefix used in production (`CORVO_ENV=production`). |
Creating API keys
Create and revoke API keys in the Corvo dashboard under Settings > API Keys. You must be an org admin to manage keys.
The full secret is shown once at creation time. Corvo stores only a hash of the key, so it cannot be retrieved later.
Security practices
- Use dedicated keys per integration. That makes rotation and incident response easier.
- Rotate keys before you revoke old ones. Corvo lets you overlap keys so you can deploy safely.
- Keep billing configured in the dashboard. The public REST API buys shipments off-session against the organization card already on file.
- Use environment variables or a secret manager. Do not hard-code keys into your repository.
Error responses
Missing credentials typically return UNAUTHORIZED. Invalid or revoked keys return INVALID_API_KEY. Shipment creation can also return EMAIL_NOT_VERIFIED if the user behind the key has not verified their email address.
{
"error": {
"message": "Invalid API key",
"code": "INVALID_API_KEY"
}
}{
"error": {
"message": "Please verify your email address before creating shipments",
"code": "EMAIL_NOT_VERIFIED"
}
}