Authentication

All requests to /api/v1/* (except /verify/:code) require a valid API key sent as a bearer token:

Authorization: Bearer certify_live_...

Key format

Keys are prefixed with certify_live_ followed by 32 alphanumeric characters. Only the first few characters of the prefix are shown back to you in the dashboard — the full key is only visible once at creation time.

Scopes

Each key is issued with one or more scopes. Requests outside a key's scopes return 403 insufficient_scope.

| Scope | Grants | |---|---| | templates:read | GET /templates, GET /templates/:id | | certificates:read | GET /certificates, GET /certificates/:id | | certificates:write | POST /certificates, POST /certificates/:id/revoke |

Rotation

Keys have no expiry. To rotate:

1. Create a new key with the same scopes.
2. Deploy the new key to your integration.
3. Once traffic has shifted, revoke the old key in Settings → API Keys.

Revoked keys stop working immediately — there is no grace period.

Security

• Never commit keys to source control. Use environment variables or a secret manager.
• Never ship keys to the browser. Keys act on your behalf — anyone holding one can issue certificates against your quota.
• Scope aggressively. If an integration only reads, issue a key with just :read scopes.
• Monitor usage. last_used_at updates on every request; surprising activity is a rotation signal.