Skip to main content

API Key Authentication

All requests to the Verilock API must include your API key in the Authorization header as a Bearer token.
Keep your API keys secure. Never expose keys in client-side code, public repositories, or browser requests. All API calls must originate from your backend server.
Required Headers
Authorization: Bearer qi_live_your_api_key_here
Content-Type: application/json
Accept: application/json

curl -X GET \
  "https://verilock.io/api/v1/sessions" \
  -H "Authorization: Bearer qi_live_your_api_key_here" \
  -H "Accept: application/json"

Key Prefixes

PrefixEnvironmentUsage
qi_live_ProductionLive API requests with real data
qi_test_SandboxTesting and development — no charges, simulated results
Use qi_test_ keys during development. They return simulated verification results and are free to use.

Rate Limiting

API requests are rate limited per API key. Current limits are returned in response headers:
HeaderDescription
X-RateLimit-LimitMaximum requests per minute
X-RateLimit-RemainingRemaining requests in current window
Retry-AfterSeconds until rate limit resets (only on 429)
Default rate limit is 120 requests/minute per API key. Contact us if you need higher limits for production workloads.

Authentication Errors

If authentication fails, the API returns a 401 status:
401 Unauthorized
{
  "error": "authentication_error",
  "message": "Invalid or missing API key.",
  "details": null
}
Common causes:
  • Missing Authorization header or invalid Bearer token format
  • Invalid or revoked API key
  • Using a test key against production endpoints (or vice versa)