For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
  • Getting Started
    • Introduction
    • How Verifa Works
    • Quickstart
    • Choosing an Integration Method
  • Use Cases
    • KYC Onboarding
    • Age Verification
    • AML Compliance
    • Fraud Prevention
    • Marketplace Trust & Safety
  • Core Concepts
    • Overview
    • Sessions
    • Verifications & Checks
    • Workflows
    • Identities
    • Cases
    • Screening & Reports
    • Lists
  • Integration Guides
    • Overview
    • JavaScript SDK
    • Web Capture Flow
    • API-Only Integration
    • Mobile SDK
    • Webhooks Guide
    • MCP Server
    • Migrating from Persona
  • API Details
    • Overview
    • Authentication
    • Pagination
    • Rate Limiting
    • Versioning
    • Errors
    • Webhooks
    • Idempotency
    • Key Inflection
    • Data Access
    • Data Retention
  • Tutorials
    • Creating Your First Verification Session
    • Creating a Workflow
    • Receiving Webhooks & Validating Signatures
    • Handling Webhook Events
    • Custom Document Types & AI Extraction
  • Best Practices
    • Testing
    • Preventing Duplicates
    • Fraud Signals
    • Changelog
  • API Reference
On this page
  • Key types
  • Secret keys (default)
  • Scopes
  • Default scopes
  • Opt-in scopes
  • Identity, case, and screening operations
  • Configuration & integrations
  • Smart QA & consortium
  • Data deletion (irreversible)
  • Backward compatibility
  • Security best practices
  • Dashboard session refresh
  • SAML IdP-initiated sign-in
  • IP allowlisting
  • Error responses
  • Related
API Details

Authentication

Was this page helpful?
Previous

Pagination

Next
Built with

All API requests are authenticated using API keys passed in the X-API-Key header.

$curl https://api.withverifa.com/api/v1/sessions \
>  -H "X-API-Key: vk_live_your_key_here"

Key types

Verifa supports two types of API keys:

Secret keys (default)

Secret keys are used for server-side API calls. They have full access to your configured scopes and should never be exposed in client-side code.

EnvironmentPrefixExample
Productionvk_live_vk_live_abc123def456...
Sandboxvk_sandbox_vk_sandbox_abc123def456...

A sandbox key can only access sandbox resources, and a live key can only access live resources.

Scopes

Each API key is granted a set of scopes that control which endpoints it can access. Scopes follow the resource:action pattern.

Default scopes

These scopes are granted to all new API keys at creation time:

ScopeDescription
sessions:readView and list verification sessions
sessions:createCreate verification sessions
sessions:writeUpdate, expire, resume, and reprocess sessions
verifications:readView verification results and documents
documents:readView and list documents
documents:writeUpload documents to a session
screening:readView screening records and hits
screening:writeTrigger AML rescreens
checks:readView screening checks and hits
checks:writeCreate, re-run, and tag screening checks
identities:readView verified identity records
workflows:readView workflows and workflow runs

Opt-in scopes

These scopes must be explicitly added when creating or editing an API key. They’re not granted by default. The “Provision an API key” deep-link on the AI Integrations dashboard page can pre-fill the right set for a given MCP connection.

Identity, case, and screening operations

ScopeDescription
sessions:external-decisionSubmit external-gate decisions for paused workflows
identities:writeTag identities, manage blocklist entries, modify identity metadata
cases:readView and list review cases
cases:writeClaim, release, assign, and comment on review cases
cases:decideApprove, reject, or escalate a review case
review:writeCorrect extracted PII on a case under review
workflows:writeCreate, update, and manage workflows
workflows:triggerRe-run a workflow on an existing session

Configuration & integrations

ScopeDescription
settings:writeManage identity types, relationship types, document types, document groups, document fingerprints, custom-field schemas
integrations:readView third-party integrations (Slack, Teams, Salesforce, ServiceNow, Asana, Monday)
integrations:writeConnect, configure, test, and disconnect third-party integrations
webhooks:readView webhook endpoints and recent deliveries
webhooks:writeCreate, update, and archive webhook endpoints
api_keys:readView this organization’s API keys (metadata only)
api_keys:writeCreate, update, and revoke API keys
audit_logs:readAccess the organization audit log

Smart QA & consortium

ScopeDescription
audit:readView Smart QA audit findings and statistics
audit:writeAcknowledge and dismiss audit findings
consortium:readView consortium memberships and cross-org matches
consortium:writeInvestigate and resolve consortium matches
consortium:manageChange this organization’s consortium sharing policy

Data deletion (irreversible)

ScopeDescription
redact:writePermanently delete personal data (GDPR Art. 17): redact sessions, identities, checks; delete blocklist rows. Irreversible. Never granted by default and never available on publishable keys. Required to invoke any MCP destructive tool.

Backward compatibility

Several endpoints accept either the new specific scope or the older broad scope it was split from. Keys minted before the scope split keep working unchanged, and integrations can migrate at their own pace. A non-exhaustive list:

EndpointAccepted scopes (any one)
DELETE /sessions/{id}/dataredact:write OR sessions:write
POST /sessions/bulk-redactredact:write OR sessions:write
DELETE /identities/{id}/dataredact:write OR identities:write
POST /checks/{id}/redactredact:write OR checks:write OR screening:write
DELETE /documents/{id} (GDPR redact)redact:write OR documents:write
DELETE /blocklist/{id}redact:write OR identities:write
POST /cases/{id}/approve|reject|escalatecases:decide OR cases:write
POST /workflows/{id}/triggerworkflows:trigger OR workflows:write
POST/PATCH/DELETE /identity-types, /relationship-types, /document-types, /document-groups, custom-field schemas, document fingerprintssettings:write OR the per-resource :write

We recommend pinning new keys to the specific scope rather than the broad one, so future endpoint additions don’t quietly inherit access.

Security best practices

  • Never expose secret keys in client-side code. Keep secret keys on your server.
  • Use separate keys for sandbox and production. This prevents test data from mixing with live verifications.
  • Rotate keys periodically. Create a new key, migrate your integration, then revoke the old key.
  • Use the minimum scopes required. Only grant management scopes to keys that need them.

Dashboard session refresh

Dashboard sessions are cookie-based (vk_org_token, 8h). The dashboard extends an active session by calling:

POST /api/v1/auth/refresh

This endpoint is used internally by the dashboard SPA and isn’t required for server-to-server API access (which uses X-API-Key).

SAML IdP-initiated sign-in

SAML SP-initiated sign-in (the user starts at Verifa and is redirected to their IdP) is enabled by default for SSO-configured organizations.

SAML IdP-initiated sign-in (the user launches Verifa from an Okta or Azure AD tile) is opt-in per organization and disabled by default. Contact support to enable it for your org.

IP allowlisting

For additional security, you can restrict API key usage to specific IP addresses or CIDR ranges. Contact support to configure IP allowlisting for your organization.

Error responses

If the API key is missing or invalid, the API returns 401 Unauthorized:

1{
2  "error": "unauthorized",
3  "detail": "Invalid or missing API key.",
4  "status_code": 401
5}

If the key lacks the required scope for an endpoint, the API returns 403 Forbidden. The detail names every scope that would have allowed the call (multiple scopes are joined with ” or ”):

1{
2  "detail": "API key missing required scope: redact:write or sessions:write"
3}

Related

  • Errors — Full error response reference including 401 and 403
  • Rate Limiting — Plan-based rate limits per key
  • JavaScript SDK — Embedding the verification flow with verifa.js