Skip to main content

HTTP status codes

  • 200: Request succeeded
  • 202: Registration accepted and pending consent
  • 400: Invalid request body or missing required query/body field
  • 401: Missing, invalid, or revoked token
  • 403: Missing permission, app access revoked, or non-loopback access
  • 404: Unknown path or request id not found
  • 500: Internal server error

Common error responses

{ "error": "app.name is required" }

{ "error": "request_id is required" }

{ "error": "Invalid or revoked token" }

{ "error": "Missing write permission" }

{ "error": "Only localhost is allowed" }

Localhost enforcement

Velora local API checks the remote socket address and only allows loopback addresses:
  • 127.0.0.1
  • ::1
  • ::ffff:127.0.0.1
Any other address is denied.

Token and app lifecycle

  • Tokens are hashed in storage
  • Revoking an app revokes all active tokens for that app
  • Regenerating a token revokes previous active tokens
  • Resetting all connections revokes all active tokens and closes all WebSocket sessions

Operational behavior

  • CORS is enabled with Access-Control-Allow-Origin: *
  • Allowed methods are GET, POST, and OPTIONS
  • The server tracks active connections and last request timestamp
  • Unknown routes return 404

Production guidance for integrations

  • Request only the permissions your app needs
  • Store tokens securely (do not expose in logs)
  • Handle token revocation and reconnect logic gracefully
  • Treat local API availability as optional and fall back when Velora is not running