Authentication
Every public endpoint requires a bearer token in the Authorization header.
curl https://api.prod.holibras.com.br/v1/holidays?year=2026 \
-H 'Authorization: Bearer fk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'Token format
Tokens look like fk_<env>_<base58-40>:
env—livefor production,testfor testing (tokens have separate quotas).- The 40-character body is base58 (omits
0,O,I,l). - Only the first 11 characters are indexed — the remainder is hashed.
Restricting tokens
When you create a token from /app/tokens/new, you can scope it to:
- Domains —
Originmust match an entry in the allowlist. Recommended for browser usage. - IPs / CIDRs — Request IP must fall inside any allowlist entry. Recommended for server-side usage.
If both are set, both must match.
Rotating and revoking
Revoke from /app/tokens/:id. Revocation is instant — the cache is purged within one second across all API nodes. Lost tokens cannot be recovered; create a new one.