Authentication

AHOLO Open API uses the global security scheme AuthorizationHeader: include Authorization on gateway requests.

Format: put the API key you created in Aholo Platform directly. Do not add Bearer or other prefixes. Example: Authorization: <your API key>.
If missing or invalid, the API typically returns 401 with an ApiError body (e.g. status: UNAUTHENTICATED, legacy biz code 10004 in details.metaData.bizCode).

The upload-token endpoint GET /global/asset/v1/token (see Asset in the API sidebar) uses the same gateway Authorization header above.

After you get ousToken from the response, requests to the OUS globalDomain (e.g. https://ous-sg.kujiale.com for the international region; subject to actual response) should use the OpenAPI header ous-token-v2 with the ousToken value. This is independent from the gateway Authorization.

Call /ous/api/... on the globalDomain host. Those paths are not prefixed with /global.

Security recommendations

Do not hardcode keys in browser frontend, mobile apps, or public repositories.
Rotate API keys regularly. If leaked, revoke it on the platform and generate a new one ASAP.

Headers related to Asset (OUS)​

Security recommendations​

Headers related to Asset (OUS)

Security recommendations