Sawala CloudSawala Cloud — Docs
General Concepts

API keys & access

How Sawala Cloud authenticates access — public vs secret API keys, project scope, the public API base URLs, and CLI tokens for the command-line tools.

TODO: translate to Indonesian. English source is authoritative; render it into Indonesian below.

The dashboard is for people; API keys are for code. When your website or app talks to a Sawala Cloud product over its REST API, it identifies itself with an API key. Keys are minted in the dashboard and are always scoped to a project.

Public vs secret keys

Most products distinguish two kinds of key:

  • Public key (pk_live_…)read-only and safe to ship to the browser or any client-side code. Use it to read content, list public files, and load forms.
  • Secret key (sk_live_…)read/write and server-side only. Use it to create or update data from a trusted backend. Never expose a secret key in client code.

A secret key can change your data. Keep it on the server, store it in a secret manager, and never commit it to a repository or embed it in a front-end bundle.

Project scope

Every key is tied to the project (or projects) you choose when you mint it. A key can only read and write data in the projects it's scoped to — it can never reach another project's content. This is how project isolation is enforced at the API layer.

Minting a key

  1. Open Organization Settings → API Keys in the dashboard.
  2. Click Create Key.
  3. Choose the type (public or secret), the scope (which project(s)), and the product the key is for.
  4. Click Create and copy the token — it is shown only once. Save it to a password manager or secret store.

To revoke a leaked or unused key, find its row in the same screen and click Revoke — revoked keys stop working almost immediately.

Using a key

Send the key in the X-API-Key header:

X-API-Key: pk_live_xxx

Each product's public API has its own base URL under api.sawala.cloud/public:

https://api.sawala.cloud/public/kontena
https://api.sawala.cloud/public/berkasna
https://api.sawala.cloud/public/formulir

See each product's API reference for the full endpoint list — for example, the Kontena API reference.

Common errors

ErrorLikely causeFix
401 UnauthorizedMissing or wrong headerSend X-API-Key: <token>, not Authorization: Bearer
403 ForbiddenKey isn't scoped to that projectMint a key with the right project scope
429 Too Many RequestsRate limit hitAdd caching, or ask Sawala to raise your limit

CLI tokens

A CLI token is a different kind of credential for a different job. Where an API key authorizes an application to reach one product's REST API, a CLI token authorizes you — it identifies your account so the command-line tools and MCP servers can act with your permissions.

API keyCLI token
Looks likepk_live_… / sk_live_…koda_…
IdentifiesAn applicationYou (your account)
Used bySDKs, the REST APIsawala & kodena CLIs, MCP servers
ScopeA product + project(s)Your org/project context, across CLI-supported products
Obtained viaMinting under Organization Settings → API Keyssawala login / kodena login (browser); or minted under CLI tokens for CI

Signing in with the browser flow

You normally don't mint or copy a CLI token by hand. Just run the login command:

sawala login   # or: kodena login

The CLI opens your browser to the dashboard's authorization page. Approve the request there and you're signed in — nothing to copy or paste. Under the hood the CLI runs a loopback authorization flow, so the token is delivered straight to the CLI over HTTPS and never travels through the browser. It's then stored locally on your machine, and the same sign-in works for both sawala and kodena.

Pasting a token (headless, CI, or by choice)

The copy-paste flow is still fully supported — use it whenever you prefer it, or when there's no browser available (a server, a container, a CI job):

  1. In the dashboard, open Organization Settings → CLI tokens and create a token (shown only once).

  2. Provide it without a browser:

    sawala login --no-browser     # prompts you to paste the token
    sawala login --token koda_…    # non-interactive, e.g. in CI

A CLI token acts on your behalf — treat it like a password. Don't share or commit it. To revoke one, return to Organization Settings → CLI tokens and delete it; any CLI that used it will need to sign in again.

See CLI & SDKs for the full tool walkthrough.

Next: put it all together in Getting started.

Daftar Isi