Authentication

Every Sovera request is authenticated with an API key sent as a bearer token. Keys are scoped deny-by-default, so a key can only call the endpoints its scopes explicitly allow. There is one key per organization.

Bearer keys

Send your key in the Authorization header on every request. Live keys start with svk_live_ and test keys start with svk_test_.

Authorization header

Authorization: Bearer svk_live_xxxxxxxxxxxxxxxxxxxxxxxx
POST
/v1/verify/liveness
curl -X POST https://verify.lioncapventures.com/v1/verify/liveness \
  -H "Authorization: Bearer svk_live_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"image":"<base64>"}'

If the key is missing or malformed, Sovera returns 401. If the key is valid but lacks the scope for that endpoint, it returns 403. Both use the application/problem+json body described in Errors.

Scopes

Scopes are deny-by-default. A key holds only the scopes it was issued with, and a call to an endpoint outside those scopes is rejected with 403 before any processing happens.

  • Name
    verify:liveness
    Type
    scope
    Description

    Call POST /v1/verify/liveness and the active-liveness endpoints.

  • Name
    verify:facematch
    Type
    scope
    Description

    Call POST /v1/verify/face-match and the combined POST /v1/verify.

  • Name
    verify:document
    Type
    scope
    Description

    Call POST /v1/verify/document.

  • Name
    verify:aml
    Type
    scope
    Description

    Call POST /v1/verify/aml.

  • Name
    verify:idvalidate
    Type
    scope
    Description

    Call POST /v1/verify/id-validate.

  • Name
    sessions:read
    Type
    scope
    Description

    Read sessions: GET /v1/sessions/{id} and GET /v1/sessions/{id}/report.

  • Name
    sessions:write
    Type
    scope
    Description

    Create, cancel, and manage sessions: POST /v1/sessions and POST /v1/sessions/{id}/cancel.

  • Name
    consent:write
    Type
    scope
    Description

    Record and revoke consent, and erase subjects.

  • Name
    templates:write
    Type
    scope
    Description

    Manage verification templates.

Request only the scopes your integration needs. If a server-side worker only creates sessions and reads reports, issue a key with sessions:write and sessions:read and nothing else.

Key handling

  • Shown once. A key's plaintext value is returned only at creation. Sovera stores a SHA-256 hash, not the key itself, so it cannot show the value again. Store it in a secret manager, never in source control.
  • One key per organization. Keys are scoped to an organization. Rotate by issuing a new key and retiring the old one.
  • Test vs live. Use svk_test_ keys against test data while you build, and switch to svk_live_ for production.

Was this page helpful?