Skip to main content
Every Public API request must include the API key as the value of the x-api-key HTTP header. Keys are tenant-scoped: a key issued to Partner A cannot read Partner B’s data.

Sending the key

GET /v1/health HTTP/1.1
Host: connect.provisionapp.io
x-api-key: … (your key here)
Sending the key via Authorization: Bearer … is not supported. Sending no key returns 403 Forbidden. Sending a key the gateway does not recognise also returns 403 Forbidden.

Getting a key

Keys are issued by the OneVision Resources support team, not self-service. Email support@onevisionresources.com with:
  1. The partner the key is for.
  2. The environment (UAT first, then Production).
  3. A short description of what your integration will do — this informs which operation scopes we attach to the key.
  4. A contact who should be notified about deprecations and outages.
You will receive the key value in a one-time secret link. Store it in your secret manager; the OneVision team cannot retrieve a lost key, but can issue a replacement and revoke the old one.

Rotation and revocation

To rotate a key, request a new key first, deploy it to your integration, then ask support to revoke the old key. To revoke a leaked key immediately, email support with the prefix of the key (the first eight characters) and the words “REVOKE NOW” in the subject line.

What the key proves

A valid key proves three things to the API:
  1. Tenancy. The key is bound to a partnerId in our internal database, and that is the only tenant the request can read or write.
  2. Allowed operations. The key carries a list of operation scopes (for example conversation:read) that gate each endpoint — see Permissions.
  3. Throttle bucket. The key counts against a per-key rate limit enforced at the API gateway — see Rate limits.