Authentication | Pivolio Docs

Pivolio has two API surfaces, each authenticated differently.

Ingestion — write key

Event-collection endpoints authenticate with a workspace write key, sent in the X-Write-Key header:

$ curl https://api.pivolio.com/track \
>   -H "X-Write-Key: YOUR_WRITE_KEY" \
>   -H "Content-Type: application/json" \
>   -d '{ "event_name": "page_view", "anonymous_id": "anon_abc" }'

Write keys can only ingest events, so they’re safe to use in first-party browser code. Create and rotate them in the dashboard under Settings → Keys.

Workspace, integration, reporting, and account endpoints authenticate with the session cookie issued when you sign in to the dashboard. They’re designed for the dashboard UI rather than static server-to-server tokens.

Browse the API Reference to see which authentication each endpoint expects — ingestion endpoints take the write key, everything else uses the session.