Dravo accepts two kinds of credentials. Most integrations only ever need an API key.
API keys
Create API keys in the dashboard (Keys). The full secret is shown once at creation, then only a short prefix is stored for display. Send the key as a Bearer token on every request:
curl https://api.dravo.dev/v1/accounts \
-H "Authorization: Bearer dra_live_8f2c..."
Keep keys server side. Revoke a key any time from the dashboard or with
DELETE /v1/api-keys/{key_id}; revocation takes effect
immediately.
Live and test environments
Every key is bound to an environment, visible in its prefix:
| Prefix | Environment | Use it for |
|---|---|---|
dra_live_ | live | Real delivery to real accounts. |
dra_test_ | test | Development and integration testing. |
Dashboard JWT
The dashboard authenticates with a Supabase JWT (ES256), verified locally against the project JWKS. You normally do not handle this token yourself; it is used by the web app. The public API endpoints accept either a JWT or an API key, so anything you can do from the dashboard you can also do with a key.
Which auth does each endpoint use
Dravo has two access levels:
- Public API (JWT or API key): publish, accounts and media. These are the endpoints an integration or agent calls.
- Dashboard only (JWT): account management surfaces such as API keys, billing, stats, webhook configuration and the interactive OAuth flow.
Each page in the API reference states the auth it requires
in its Auth line.