Skip to main content
Every request to the Asva AI API must be authenticated. Authentication uses API keys issued per workspace — there are no per-user keys, no OAuth flows, and no session cookies. You pass your key as a Bearer token in the Authorization header on every request. The API validates the key, checks your rate limit, and then processes your request.

Get an API key

API keys are issued per workspace. To get yours:
  1. Visit asva-ai.com/get-help and book a call
  2. Or email hello@asva-ai.com with the subject line “API Access”
Your key will arrive in the format asva_live_...
Keep your API key secret. Never commit it to version control or expose it in client-side JavaScript. Store it as an environment variable and access it server-side only.

Pass your API key

Include your key as a Bearer token in the Authorization header on every request: 
curl -X POST https://asva-ai.com/api/audit \
  -H "Authorization: Bearer $ASVA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "yourstore.com"}'

Base URL

All API endpoints use: 
https://asva-ai.com/api
There is no separate staging or sandbox URL. To test without side effects, pass dry_run: true in the request body — the API returns a valid response using cached data without re-fetching or writing anything.

Error responses

StatusError codeDescription
401unauthorizedMissing or invalid API key
403forbiddenAPI key is valid but lacks permission for this resource
429rate_limitedToo many requests — see rate limits below
401 response example: 
{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key. Pass your key as: Authorization: Bearer asva_live_..."
  }
}

Rate limits

EndpointLimit
POST /api/audit60 requests / hour
POST /api/manifest100 requests / hour
POST /api/report1,000 requests / hour
Rate limit headers are returned on every response: 
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 47
X-RateLimit-Reset: 1744281600
X-RateLimit-Reset is a Unix timestamp. Wait until that time before retrying after a 429. If you are running batch jobs (for example, auditing multiple client domains), spread requests across the hour rather than bursting all at once.
If you need higher rate limits for agency batch workflows, mention it when you book your onboarding call.

SDK

TypeScript and Python SDKs are in development. Until they are available, use the REST API directly with the examples above.

Next steps

Readiness API

Run a readiness audit against any domain.

Manifest API

Generate and validate UCP manifests.

Attribution API

Log events and pull attribution data.