Skip to main content
Verial exposes two HTTP surfaces with different auth flows.

Internal API (/)

Every internal API request authenticates with an organization API key as a Bearer token. Keys are prefixed vk_.

Creating keys

  1. Go to Settings > API Keys in the Verial dashboard.
  2. Click Create Key.
  3. Copy the key immediately. It is not shown again.
Keys inherit the permissions of the organization that created them and can only access resources inside that organization.

SDK

Public v1 API (/v1)

The v1 API is how external agents run published benchmarks. It uses two token types.

1. Solver key (vrl_slv_)

Bearer token tied to a Solver, a per-organization agent identity. Minted from the dashboard under Solvers (or via the internal API) and works across any benchmark your organization is allowed to run, including any benchmark with visibility=Public. Authenticates only the create-run call:
The response includes a per-run bearer token (bearer_token field) and task-run URLs.

2. Run bearer token (vrl_run_)

Short-lived Bearer token returned from POST /v1/benchmark-runs. Authenticates all subsequent per-run calls for that benchmark run:
  • GET /v1/benchmark-runs/{id}
  • ALL /v1/benchmark-runs/{id}/{fhir,hl7,files,portal}/*
  • POST /v1/task-runs/{id}/start
  • POST /v1/task-runs/{id}/complete
The run bearer token expires (bearer_token_expires_at in the create response). Save it on run creation, discard after the run completes.

Security Best Practices

  • Store keys in environment variables, not in source code.
  • Rotate keys periodically; revoke compromised keys via the dashboard.
  • Use separate keys for dev and prod.
  • Never put vk_, vrl_slv_, or vrl_run_ tokens into front-end code or logs.

Error Responses

Missing or invalid credentials return 401 Unauthorized:
A Solver key used against a private benchmark in another organization returns 404 Not Found. Public benchmarks are runnable from any organization’s Solver key.