Docs Authentication
Getting started

Authentication

Every API request must include your API key. Here is how to get one, store it safely, and use it correctly.

Getting your API key

Email hello@tryswiftproof.com with your project name and a brief description of your use case. We provision keys manually so we can ensure the right rate limits and permissions for your integration. Expect a response within one business day.

You will receive two keys: a live key (sp_live_...) for production and a test key (sp_test_...) for development. Test keys create chains that appear in your dashboard but never send real notifications.

Using your API key

Pass your key as a Bearer token in the Authorization header on every request.

HTTP
Authorization: Bearer sp_live_your_key_here
Content-Type: application/json

With the JavaScript SDK, pass the key once at initialisation — the SDK handles the header automatically.

JavaScript
import { SwiftProof } from 'swiftproof';

const sp = new SwiftProof({
  apiKey: process.env.SWIFTPROOF_API_KEY,
});

Storing your key safely

Never expose your API key client-side. Do not include it in browser JavaScript, mobile app bundles, or public repositories. Always call the SwiftProof API from your backend.

Store your key as an environment variable and load it at runtime.

.env
SWIFTPROOF_API_KEY=sp_live_your_key_here
.gitignore
.env
.env.local
.env.production

Key rotation

If your key is compromised, email hello@tryswiftproof.com immediately. We will revoke the old key and issue a new one. Existing chains are not affected — they remain valid and verifiable.

Error responses

StatusCodeMeaning
401unauthorizedMissing or malformed Authorization header.
403forbiddenValid key but insufficient permissions for this action.
429rate_limitedToo many requests. See rate limiting below.

Rate limiting

The default rate limit is 100 requests per minute per API key. If you exceed this, requests return a 429 response with a Retry-After header indicating how many seconds to wait. Contact us if you need higher limits for your use case.