Authentication and API keys
Sending your key
The canonical header is X-API-Key:
curl -X POST 'https://api.cognivolabs.io/v1/api/intel/risk' \
-H 'X-API-Key: YOUR_API_KEY' \
-H 'Content-Type: application/json' \
-d '{"chain":"eth","address":"0xTOKEN_CONTRACT"}'
Authorization: Bearer YOUR_API_KEY is accepted as an alias for client libraries that prefer it.
How keys are stored
Cognivo never stores your full key. Only a one-way hash plus the prefix and last four characters are kept, which is why the full key can be shown exactly once at creation. Treat it like a password.
Sandbox keys vs live keys
| Prefix | Purpose | Billing | Rate cap |
|---|---|---|---|
cogv_test_ | Sandbox: limited demos and integration testing only, clearly labelled Sandbox; cannot run live intelligence | never charged | hard cap of 25 requests/hour, 100/day and 1/second |
cogv_live_ | production; self-serve, works immediately | pay-as-you-go: Cognivo credits per successful call from your credit balance; failed calls are never charged | your access-mode limit, 1,000 requests/hour to start |
Prototype the request shapes with a sandbox key if you like, then ship with a live key. A new live key needs no approval and no trial: it starts working the moment you create it, as long as your account has credits.
Access modes, plainly
- Live (standard) - self-serve pay-as-you-go. A new live key works immediately, charged in Cognivo credits per successful call at the published per-endpoint prices. If your balance cannot cover a call you get
402 payment_required(nothing charged): top up on your Cognivo account billing page and retry. - Sandbox -
cogv_test_keys; limited demo/testing only, cannot run live intelligence. Live calls answer403 sandbox_limited. - Trial - an optional, admin-granted evaluation allowance (limited and expiring). Not required for ordinary paid use.
- Partner - an admin-managed arrangement.
- Enterprise - the request-access path: custom pricing, custom limits and volume. Request it from the Developer portal.
- Suspended - the key cannot execute anything; the portal shows the reason.
- Legacy metadata-only keys - a small number of older keys predate self-serve billing and can only call the metadata endpoints; live calls answer
403 access_required. Create a new live key to move to pay-as-you-go.
GET /v1/api/me tells you which mode your key is in (access_mode), plus your account's credits_balance and top_up guidance.
Scopes (permissions)
Keys are default-deny: a key can only call the endpoint groups you granted when creating it. There are three scopes, and each simply unlocks a set of endpoints.
intel:read - token and wallet intelligence
The everyday scope. It lets your key ask "what is going on with this token or wallet?": price-drop drivers, risk signals, team wallet behavior, realized PnL, and exact movements.
Unlocks: POST /v1/api/intel/why-down, POST /v1/api/intel/team-wallets, POST /v1/api/intel/risk, POST /v1/api/wallet/pnl, POST /v1/api/wallet/exact-movements
security:read - wallet safety scans
Lets your key check what a wallet has approved: which contracts can spend its tokens, flagging unlimited allowances. Read-only; a key with this scope can never move funds or revoke anything.
Unlocks: POST /v1/api/wallet/approvals
liquidity:read - liquidity and LP reads
Lets your key check whether a token's liquidity is real and where the LP tokens sit: pool context, LP custody, lock and burn context.
Unlocks: POST /v1/api/intel/liquidity
GET /v1/api/health needs no key at all, and GET /v1/api/me and GET /v1/api/discover work with any valid key, whatever its scopes.
You can edit a key's scopes any time in the portal. If a call fails with 403 scope_denied, the key simply does not carry the scope that endpoint needs.
Rotation and revocation
- Revoke kills a key. It stops authenticating within a minute.
- Rotate creates a replacement key with the same name, scopes and tier, shows it once, and revokes the old key in the same step. Use it on any suspected leak and on a regular schedule.
Optional restrictions
Per key you can additionally allow-list:
- Origins (exact origins or wildcard subdomains like
https://*.yourapp.com) - requests presenting a differentOriginare rejected. - IPs / CIDR ranges - requests from other addresses are rejected.
Empty lists mean no restriction.
Where keys come from
Keys are created only in the self-serve Developer portal using your existing Cognivo account. There is no manual/legacy key issuance for new integrations.