Authentication & security

Authenticate server-side requests without putting credentials at risk.

Overview

The API authenticates with an X-Api-Key header. Treat this key as a server-side secret: never embed it in browser JavaScript, a mobile application, a public repository, or an example committed to source control.

Store the key in your server environment as VERISTAGE_API_KEY. Requests are also isolated by tenant hostname; validate the hostname before accepting it from user input.

If a key is exposed, revoke and replace it immediately.

Next steps

Confirm your identity safely with the read-only GET /whoami endpoint.

On this page