API Key Authentication
All server-side API calls use HTTP Basic Auth with your API Key and API Secret.
curl -X POST https://ivs.idenfy.com/api/v2/token \
-u "YOUR_API_KEY:YOUR_API_SECRET" \
-H "Content-Type: application/json" \
-d '{"clientId": "user-123"}'
import requests
response = requests.post(
"https://ivs.idenfy.com/api/v2/token",
auth=("YOUR_API_KEY", "YOUR_API_SECRET"),
json={"clientId": "user-123"}
)
const response = await fetch("https://ivs.idenfy.com/api/v2/token", {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: "Basic " + Buffer.from("YOUR_API_KEY:YOUR_API_SECRET").toString("base64"),
},
body: JSON.stringify({ clientId: "user-123" }),
});
$ch = curl_init("https://ivs.idenfy.com/api/v2/token");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_USERPWD, "YOUR_API_KEY:YOUR_API_SECRET");
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["clientId" => "user-123"]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = json_decode(curl_exec($ch), true);
The Authorization header is: Basic base64(API_KEY:API_SECRET)
Get Your Keys
- Log in to iDenfy Dashboard
- Go to Settings → API Keys
- Select Generate
Detailed guide →
Two Types of Auth
| Auth type | Used for | Where |
|---|
| Basic Auth (API Key + Secret) | All server-side API calls | Your backend only |
| authToken | Client-side verification UI | iFrame, redirect, mobile SDK |
The flow:
Backend (Basic Auth) → POST /api/v2/token → returns authToken
Frontend (authToken) → Verification UI → results via webhook to backend
The authToken is short-lived and scoped to one verification. It’s safe to pass to the client.
Never expose your API Secret in client-side code — browser JavaScript, mobile apps, or public repos. Use it only on your server.