vennaVenna

Authentication

Pick between a workspace API key, a plan JWT, or x402 payment to authenticate against the Venna gateway.

Every request to the Venna gateway (https://gateway.venna.net/v1) carries a credential. Pick the scheme that matches who is calling and how the call is billed.

SchemeHeaderBill toReach for it when
Workspace API keyAuthorization: Bearer vk_...The key's workspaceA server or integration calls in production.
Plan JWTAuthorization: Bearer <jwt>The signed-in accountA human session drives the call (Console, Venna Code).
x402 paymentPAYMENT-SIGNATURE: <base64>A wallet, on-chainYou pay per token with no prepaid plan.

Prop

Type

A long-lived secret prefixed vk_. Usage and billing target the workspace that owns the key, not any individual user — the default for production traffic. Read it from VENNA_API_KEY and send it as a bearer token:

curl https://gateway.venna.net/v1/chat/completions \
  -H "Authorization: Bearer $VENNA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "model": "venna-fast", "messages": [{ "role": "user", "content": "ping" }] }'

When to use it: any unattended, programmatic caller — a backend service, a cron job, a CI step.

A short-lived account token carrying account and workspace context, for interactive apps that already signed a user in. Mint one on the API control plane (not the gateway) with POST /v1/auth/sessions:

curl https://api.venna.net/v1/auth/sessions \
  -H "Content-Type: application/json" \
  -d '{ "email": "you@example.com", "password": "'"$VENNA_PASSWORD"'" }'

Send the returned access-token to the gateway exactly like a vk_ key.

When to use it: a logged-in user is on the other end and billing should follow their plan.

Pay per token from a wallet with no prepaid plan. A request with no valid credential gets a 402 PAYMENT-REQUIRED challenge whose accepts list names the schemes it takes; sign the payload and resend with a PAYMENT-SIGNATURE header carrying the base64 authorization:

curl https://gateway.venna.net/v1/chat/completions \
  -H "PAYMENT-SIGNATURE: $VENNA_PAYMENT_SIGNATURE" \
  -H "Content-Type: application/json" \
  -d '{ "model": "venna-fast", "messages": [{ "role": "user", "content": "ping" }] }'

On Base the gateway accepts upto (authorize-max, settle-actual) and batch-settlement (payment-channel). See the x402 guide for the full challenge → accepts → settlement flow.

When to use it: wallet-based, pay-as-you-go access with on-chain settlement and no sign-up.

Plan JWTs are short-lived

A plan JWT expires ~15 minutes after it is minted — refresh it through the session flow rather than caching it like a static key. A vk_ key never expires; rotate it from the Console if it leaks. Never inline a literal key in source, snippets, or commits.