Authentication

Learn how to authenticate requests to the Check API.

Authentication

All API requests require authentication using an API key. This guide covers how to create, manage, and use API keys securely.

API Keys

API keys are the primary method of authenticating with the Check API. Each key is:

Scoped to your organization
Trackable for usage and billing
Revocable at any time
Prefixed with vfy_ for easy identification

Creating an API Key

Navigate to your Dashboard
Click Create New Key
Give your key a descriptive name (e.g., "Production Server", "Development", "CI/CD Pipeline")
Copy the key immediately - it won't be shown again

Important

API keys are only displayed once upon creation. Store them securely in your environment variables or secrets manager.

Using API Keys

Include your API key in the Authorization header with the Bearer scheme:

Authorization: Bearer vfy_abc123...

Example Request

Bring Your Own Key (BYOK)

Check supports using your own LLM provider API keys for verification. This gives you:

Cost control - Use your existing provider agreements
Compliance - Keep API calls within your organization's accounts
Flexibility - Switch providers without changing Check integration

Supported Providers

Provider	Key Prefix	Models
OpenAI	`sk-`	GPT-4o, GPT-5
Anthropic	`sk-ant-`	Claude Opus 4.6, Sonnet 4.5, Haiku 4.5
Google	-	Gemini 3, Gemini 2
Mistral	-	Mistral Large, Medium, Small
Azure OpenAI	-	Azure-hosted OpenAI models
AWS Bedrock	-	Claude, Titan, others
OpenRouter	-	Any model via OpenRouter gateway

Adding Provider Keys

Go to Dashboard → Settings → Provider Keys
Click Add Provider Key
Select the provider
Enter your API key (encrypted at rest with AES-256-GCM)
Save

Provider keys are used automatically when you make verification requests.

Security Best Practices

Do

Store API keys in environment variables
Use different keys for development and production
Rotate keys periodically (every 90 days recommended)
Delete keys that are no longer needed
Use secrets managers in production (AWS Secrets Manager, HashiCorp Vault, etc.)
Monitor key usage in the dashboard

Don't

Commit API keys to version control
Expose keys in client-side code
Share keys across teams without tracking
Use production keys for testing
Log API keys in application logs

Managing Keys

Viewing Usage

Each API key tracks its usage automatically. View statistics in your Dashboard:

Total requests made
Last used timestamp
Active/inactive status
Cost breakdown

Key Naming Conventions

Use descriptive names to organize your keys:

production-server
staging-server
development-local
ci-cd-pipeline
third-party-integration-name

Revoking Keys

To revoke a compromised or unused key:

Go to Dashboard → API Keys
Find the key you want to revoke
Click the Delete button
Confirm the deletion

Revoking a key is immediate and permanent. Any applications using that key will receive 401 Unauthorized errors.

Rate Limits by Plan

API rate limits are determined by your subscription plan:

Plan	Requests/minute	Monthly Verifications
Free	20	1,000
Pro	200	25,000
Enterprise	1,000	Unlimited

See Rate Limiting for more details on handling rate limit errors.

Error Responses

401 Unauthorized

Returned when the API key is missing or invalid:

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid API key"
  }
}

403 Forbidden

Returned when the API key is valid but lacks permissions:

{
  "error": {
    "code": "forbidden",
    "message": "API key does not have permission to access this resource"
  }
}

Organization Access

API keys are scoped to your organization. All team members with appropriate roles can:

Owner/Admin: Create, view, and delete API keys
Member: View API keys (masked), cannot create or delete
Viewer: Cannot access API key management

See Team Management for more on roles and permissions.

Authentication

Learn how to authenticate requests to the Check API.

Authentication

All API requests require authentication using an API key. This guide covers how to create, manage, and use API keys securely.

API Keys

API keys are the primary method of authenticating with the Check API. Each key is:

Scoped to your organization
Trackable for usage and billing
Revocable at any time
Prefixed with vfy_ for easy identification

Creating an API Key

Navigate to your Dashboard
Click Create New Key
Give your key a descriptive name (e.g., "Production Server", "Development", "CI/CD Pipeline")
Copy the key immediately - it won't be shown again

Important

API keys are only displayed once upon creation. Store them securely in your environment variables or secrets manager.

Using API Keys

Include your API key in the Authorization header with the Bearer scheme:

Authorization: Bearer vfy_abc123...

Example Request

Bring Your Own Key (BYOK)

Check supports using your own LLM provider API keys for verification. This gives you:

Cost control - Use your existing provider agreements
Compliance - Keep API calls within your organization's accounts
Flexibility - Switch providers without changing Check integration

Supported Providers

Provider	Key Prefix	Models
OpenAI	`sk-`	GPT-4o, GPT-5
Anthropic	`sk-ant-`	Claude Opus 4.6, Sonnet 4.5, Haiku 4.5
Google	-	Gemini 3, Gemini 2
Mistral	-	Mistral Large, Medium, Small
Azure OpenAI	-	Azure-hosted OpenAI models
AWS Bedrock	-	Claude, Titan, others
OpenRouter	-	Any model via OpenRouter gateway

Adding Provider Keys

Go to Dashboard → Settings → Provider Keys
Click Add Provider Key
Select the provider
Enter your API key (encrypted at rest with AES-256-GCM)
Save

Provider keys are used automatically when you make verification requests.

Security Best Practices

Do

Store API keys in environment variables
Use different keys for development and production
Rotate keys periodically (every 90 days recommended)
Delete keys that are no longer needed
Use secrets managers in production (AWS Secrets Manager, HashiCorp Vault, etc.)
Monitor key usage in the dashboard

Don't

Commit API keys to version control
Expose keys in client-side code
Share keys across teams without tracking
Use production keys for testing
Log API keys in application logs

Managing Keys

Viewing Usage

Each API key tracks its usage automatically. View statistics in your Dashboard:

Total requests made
Last used timestamp
Active/inactive status
Cost breakdown

Key Naming Conventions

Use descriptive names to organize your keys:

production-server
staging-server
development-local
ci-cd-pipeline
third-party-integration-name

Revoking Keys

To revoke a compromised or unused key:

Go to Dashboard → API Keys
Find the key you want to revoke
Click the Delete button
Confirm the deletion

Revoking a key is immediate and permanent. Any applications using that key will receive 401 Unauthorized errors.

Rate Limits by Plan

API rate limits are determined by your subscription plan:

Plan	Requests/minute	Monthly Verifications
Free	20	1,000
Pro	200	25,000
Enterprise	1,000	Unlimited

See Rate Limiting for more details on handling rate limit errors.

Error Responses

401 Unauthorized

Returned when the API key is missing or invalid:

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid API key"
  }
}

403 Forbidden

Returned when the API key is valid but lacks permissions:

{
  "error": {
    "code": "forbidden",
    "message": "API key does not have permission to access this resource"
  }
}

Organization Access

API keys are scoped to your organization. All team members with appropriate roles can:

Owner/Admin: Create, view, and delete API keys
Member: View API keys (masked), cannot create or delete
Viewer: Cannot access API key management

See Team Management for more on roles and permissions.