Authentication & security
Authenticate server-side requests without putting credentials at risk.
Overview
The API authenticates with an X-Api-Key header. Treat this key as a server-side secret: never embed it in browser JavaScript, a mobile application, a public repository, or an example committed to source control.
Store the key in your server environment as VERISTAGE_API_KEY. Requests are also isolated by tenant hostname; validate the hostname before accepting it from user input.
If a key is exposed, revoke and replace it immediately.
Next steps
Confirm your identity safely with the read-only GET /whoami endpoint.