API Key Authentication
All requests to the Verilock API must include your API key in the Authorization header as a Bearer token.
Keep your API keys secure. Never expose keys in client-side code, public repositories, or browser requests. All API calls must originate from your backend server.
Authorization: Bearer qi_live_your_api_key_here
Content-Type: application/json
Accept: application/json
curl -X GET \
"https://verilock.io/api/v1/sessions" \
-H "Authorization: Bearer qi_live_your_api_key_here" \
-H "Accept: application/json"
$client = new \GuzzleHttp\Client();
$response = $client->get(
'https://verilock.io/api/v1/sessions',
['headers' => [
'Authorization' => 'Bearer qi_live_your_api_key_here',
'Accept' => 'application/json',
]]
);
import requests
response = requests.get(
"https://verilock.io/api/v1/sessions",
headers={
"Authorization": "Bearer qi_live_your_api_key_here",
"Accept": "application/json",
}
)
const response = await fetch("https://verilock.io/api/v1/sessions", {
headers: {
"Authorization": "Bearer qi_live_your_api_key_here",
"Accept": "application/json",
},
});
const data = await response.json();
Key Prefixes
| Prefix | Environment | Usage |
|---|
qi_live_ | Production | Live API requests with real data |
qi_test_ | Sandbox | Testing and development — no charges, simulated results |
Use qi_test_ keys during development. They return simulated verification results and are free to use.
Rate Limiting
API requests are rate limited per API key. Current limits are returned in response headers:
| Header | Description |
|---|
X-RateLimit-Limit | Maximum requests per minute |
X-RateLimit-Remaining | Remaining requests in current window |
Retry-After | Seconds until rate limit resets (only on 429) |
Default rate limit is 120 requests/minute per API key. Contact us if you need higher limits for production workloads.
Authentication Errors
If authentication fails, the API returns a 401 status:
{
"error": "authentication_error",
"message": "Invalid or missing API key.",
"details": null
}
Common causes:
- Missing
Authorization header or invalid Bearer token format
- Invalid or revoked API key
- Using a test key against production endpoints (or vice versa)