API keys & access
How Sawala Cloud authenticates access — public vs secret API keys, project scope, the public API base URLs, and CLI tokens for the command-line tools.
TODO: translate to Indonesian. English source is authoritative; render it into Indonesian below.
The dashboard is for people; API keys are for code. When your website or app talks to a Sawala Cloud product over its REST API, it identifies itself with an API key. Keys are minted in the dashboard and are always scoped to a project.
Public vs secret keys
Most products distinguish two kinds of key:
- Public key (
pk_live_…) — read-only and safe to ship to the browser or any client-side code. Use it to read content, list public files, and load forms. - Secret key (
sk_live_…) — read/write and server-side only. Use it to create or update data from a trusted backend. Never expose a secret key in client code.
A secret key can change your data. Keep it on the server, store it in a secret manager, and never commit it to a repository or embed it in a front-end bundle.
Project scope
Every key is tied to the project (or projects) you choose when you mint it. A key can only read and write data in the projects it's scoped to — it can never reach another project's content. This is how project isolation is enforced at the API layer.
Minting a key
- Open Organization Settings → API Keys in the dashboard.
- Click Create Key.
- Choose the type (public or secret), the scope (which project(s)), and the product the key is for.
- Click Create and copy the token — it is shown only once. Save it to a password manager or secret store.
To revoke a leaked or unused key, find its row in the same screen and click Revoke — revoked keys stop working almost immediately.
Using a key
Send the key in the X-API-Key header:
X-API-Key: pk_live_xxxEach product's public API has its own base URL under api.sawala.cloud/public:
https://api.sawala.cloud/public/kontena
https://api.sawala.cloud/public/berkasna
https://api.sawala.cloud/public/formulirSee each product's API reference for the full endpoint list — for example, the Kontena API reference.
Common errors
| Error | Likely cause | Fix |
|---|---|---|
401 Unauthorized | Missing or wrong header | Send X-API-Key: <token>, not Authorization: Bearer |
403 Forbidden | Key isn't scoped to that project | Mint a key with the right project scope |
429 Too Many Requests | Rate limit hit | Add caching, or ask Sawala to raise your limit |
CLI tokens
A CLI token is a different kind of credential for a different job. Where an API key authorizes an application to reach one product's REST API, a CLI token authorizes you — it identifies your account so the command-line tools and MCP servers can act with your permissions.
| API key | CLI token | |
|---|---|---|
| Looks like | pk_live_… / sk_live_… | koda_… |
| Identifies | An application | You (your account) |
| Used by | SDKs, the REST API | sawala & kodena CLIs, MCP servers |
| Scope | A product + project(s) | Your org/project context, across CLI-supported products |
| Obtained via | Minting under Organization Settings → API Keys | sawala login / kodena login (browser); or minted under CLI tokens for CI |
Signing in with the browser flow
You normally don't mint or copy a CLI token by hand. Just run the login command:
sawala login # or: kodena loginThe CLI opens your browser to the dashboard's authorization page. Approve the request there and you're signed in — nothing to copy or paste. Under the hood the CLI runs a loopback authorization flow, so the token is delivered straight to the CLI over HTTPS and never travels through the browser. It's then stored locally on your machine, and the same sign-in works for both sawala and kodena.
Pasting a token (headless, CI, or by choice)
The copy-paste flow is still fully supported — use it whenever you prefer it, or when there's no browser available (a server, a container, a CI job):
-
In the dashboard, open Organization Settings → CLI tokens and create a token (shown only once).
-
Provide it without a browser:
sawala login --no-browser # prompts you to paste the token sawala login --token koda_… # non-interactive, e.g. in CI
A CLI token acts on your behalf — treat it like a password. Don't share or commit it. To revoke one, return to Organization Settings → CLI tokens and delete it; any CLI that used it will need to sign in again.
See CLI & SDKs for the full tool walkthrough.
Next: put it all together in Getting started.