Authentication - Tarvah SDK

The SDK supports two authentication methods depending on your use case.

API Key Authentication (Recommended)

For programmatic access (scripts, CI/CD, external integrations), use an API key. API keys are prefixed with trvh_sdk_ and can be passed in two ways:

curl -X POST https://<your-instance>/v1/sdk/import \
  -H "Authorization: Bearer trvh_sdk_abc123..." \
  -H "Content-Type: application/json" \
  -d '{ ... }'

Key format

Property	Value
Prefix	`trvh_sdk_`
Length	73 characters total (prefix + 64 hex chars)
Hash algorithm	SHA-256 (only the hash is stored server-side)

The full API key is shown only once when created. Store it securely — it cannot be retrieved later.

Key lifecycle

Keys have an optional expiresAt date. Expired keys are rejected automatically.
Keys can be revoked at any time via the Revoke API Key endpoint.
Each key is scoped to sdk:import permissions.
lastUsedAt is updated on every successful authentication.

Redis caching

Validated keys are cached in Redis for performance. When a key is revoked, the cache is cleared immediately.

Browser Session Authentication

For calls made from the Tarvah frontend (e.g., the UI “Import” button), the SDK uses the standard session cookie + CSRF token:

Session: LASID cookie (JWT validated via Redis → MongoDB)
CSRF: CTN header must match the session token
Endpoint: POST /v1/sdk/import/:userId (userId comes from the session proxy)

Browser authentication is handled automatically by the frontend. Use API key authentication for all external integrations.

Getting Started

​API Key Authentication (Recommended)

​Key format

​Key lifecycle

​Redis caching

​Browser Session Authentication

API Key Authentication (Recommended)

Key format

Key lifecycle

Redis caching

Browser Session Authentication