Auth, Roles & Rate Limits

API key authentication, role-based access control, and per-tier rate limits.

Authentication

All endpoints require a Bearer token in the Authorization header.

curl https://api.qavcm.com/api/projects \
  -H "Authorization: Bearer qavcm_sk_live_…"

Sandbox token (evaluation only)

qavcm_sk_sandbox_demo_00000000

Rate limited · fixed dataset

All tokens are scoped to a workspace — a token cannot access data from another org.

Token rotation is recommended every 90 days. Old tokens are invalidated immediately on rotation.

Never embed tokens in client-side code. Use server-side proxy patterns.

All API requests are logged with timestamp, IP, and token ID for audit trail.

Authorization

read_only

Read Only

Browse projects, scores, and market data. No write access.

GET /api/projects

GET /api/recommendations/:id

GET /api/connectors/carbonmark/market/batch

GET /api/coverage

analyst

Analyst

Create recommendations, access full methodology and provenance data.

POST /api/recommendations

GET /api/sources

GET /api/source-runs

All Read Only permissions

operator

Operator

Full data-layer access — run connectors, trigger matching, manage mapping.

POST /api/source-runs

POST /api/matching/run

POST /api/matching/config

All Analyst permissions

admin

Admin

Workspace management, token issuance, role assignment.

Manage API tokens

Assign roles

Audit log access

All Operator permissions

Limits

TierReq / minReq / dayBurstNotes

Sandbox601 00010For evaluation. Fixed dataset, no live data.

Standard30030 00050Production use for individual integrators.

EnterpriseCustomCustomCustomSLA-backed, dedicated infra, volume discounts.

Rate limit headers returned on every response: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset