> ## Documentation Index
> Fetch the complete documentation index at: https://documentation.idenfy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate with the iDenfy API using HTTP Basic Auth with your API key and secret. Includes code examples in cURL, Python, and Node.js.

## API Key Authentication

All server-side API calls use **HTTP Basic Auth** with your API Key and API Secret.

<CodeGroup>
  ```bash cURL theme={"system"}
  curl -X POST https://ivs.idenfy.com/api/v2/token \
    -u "YOUR_API_KEY:YOUR_API_SECRET" \
    -H "Content-Type: application/json" \
    -d '{"clientId": "user-123"}'
  ```

  ```python Python theme={"system"}
  import requests

  response = requests.post(
      "https://ivs.idenfy.com/api/v2/token",
      auth=("YOUR_API_KEY", "YOUR_API_SECRET"),
      json={"clientId": "user-123"}
  )
  ```

  ```javascript Node.js theme={"system"}
  const response = await fetch("https://ivs.idenfy.com/api/v2/token", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: "Basic " + Buffer.from("YOUR_API_KEY:YOUR_API_SECRET").toString("base64"),
    },
    body: JSON.stringify({ clientId: "user-123" }),
  });
  ```

  ```php PHP theme={"system"}
  $ch = curl_init("https://ivs.idenfy.com/api/v2/token");
  curl_setopt($ch, CURLOPT_POST, true);
  curl_setopt($ch, CURLOPT_USERPWD, "YOUR_API_KEY:YOUR_API_SECRET");
  curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);
  curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["clientId" => "user-123"]));
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  $response = json_decode(curl_exec($ch), true);
  ```
</CodeGroup>

The `Authorization` header is: `Basic base64(API_KEY:API_SECRET)`

## Get Your Keys

1. Log in to [iDenfy Dashboard](https://admin.idenfy.com)
2. Go to **Settings → API Keys**
3. Select **Generate**

[Detailed guide →](/guides/dashboard/settings/api-keys)

## Two Types of Auth

| Auth type                         | Used for                    | Where                        |
| --------------------------------- | --------------------------- | ---------------------------- |
| **Basic Auth** (API Key + Secret) | All server-side API calls   | Your backend only            |
| **authToken**                     | Client-side verification UI | iFrame, redirect, mobile SDK |

The flow:

```
Backend (Basic Auth) → POST /api/v2/token → returns authToken
Frontend (authToken) → Verification UI     → results via webhook to backend
```

The `authToken` is short-lived and scoped to one verification. It's safe to pass to the client.

<Warning>
  **Never expose your API Secret in client-side code** — browser JavaScript, mobile apps, or public repos. Use it only on your server.
</Warning>