HHolibras

Authentication

Every public endpoint requires a bearer token in the Authorization header.

curl https://api.prod.holibras.com.br/v1/holidays?year=2026 \
  -H 'Authorization: Bearer fk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

Token format

Tokens look like fk_<env>_<base58-40>:

  • envlive for production, test for testing (tokens have separate quotas).
  • The 40-character body is base58 (omits 0, O, I, l).
  • Only the first 11 characters are indexed — the remainder is hashed.

Restricting tokens

When you create a token from /app/tokens/new, you can scope it to:

  • DomainsOrigin must match an entry in the allowlist. Recommended for browser usage.
  • IPs / CIDRs — Request IP must fall inside any allowlist entry. Recommended for server-side usage.

If both are set, both must match.

Rotating and revoking

Revoke from /app/tokens/:id. Revocation is instant — the cache is purged within one second across all API nodes. Lost tokens cannot be recovered; create a new one.