Authentication
Every Sovera request is authenticated with an API key sent as a bearer token. Keys are scoped deny-by-default, so a key can only call the endpoints its scopes explicitly allow. There is one key per organization.
Bearer keys
Send your key in the Authorization header on every request. Live keys start with svk_live_ and test keys start with svk_test_.
Authorization header
Authorization: Bearer svk_live_xxxxxxxxxxxxxxxxxxxxxxxx
curl -X POST https://verify.lioncapventures.com/v1/verify/liveness \
-H "Authorization: Bearer svk_live_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{"image":"<base64>"}'
If the key is missing or malformed, Sovera returns 401. If the key is valid but lacks the scope for that endpoint, it returns 403. Both use the application/problem+json body described in Errors.
Scopes
Scopes are deny-by-default. A key holds only the scopes it was issued with, and a call to an endpoint outside those scopes is rejected with 403 before any processing happens.
- Name
verify:liveness- Type
- scope
- Description
Call
POST /v1/verify/livenessand the active-liveness endpoints.
- Name
verify:facematch- Type
- scope
- Description
Call
POST /v1/verify/face-matchand the combinedPOST /v1/verify.
- Name
verify:document- Type
- scope
- Description
Call
POST /v1/verify/document.
- Name
verify:aml- Type
- scope
- Description
Call
POST /v1/verify/aml.
- Name
verify:idvalidate- Type
- scope
- Description
Call
POST /v1/verify/id-validate.
- Name
sessions:read- Type
- scope
- Description
Read sessions:
GET /v1/sessions/{id}andGET /v1/sessions/{id}/report.
- Name
sessions:write- Type
- scope
- Description
Create, cancel, and manage sessions:
POST /v1/sessionsandPOST /v1/sessions/{id}/cancel.
- Name
consent:write- Type
- scope
- Description
Record and revoke consent, and erase subjects.
- Name
templates:write- Type
- scope
- Description
Manage verification templates.
Request only the scopes your integration needs. If a server-side worker only creates sessions and reads reports, issue a key with sessions:write and sessions:read and nothing else.
Key handling
- Shown once. A key's plaintext value is returned only at creation. Sovera stores a SHA-256 hash, not the key itself, so it cannot show the value again. Store it in a secret manager, never in source control.
- One key per organization. Keys are scoped to an organization. Rotate by issuing a new key and retiring the old one.
- Test vs live. Use
svk_test_keys against test data while you build, and switch tosvk_live_for production.
Never send an API key from a browser or mobile client. Call Sovera from your backend, or use a verification session whose short-lived clientToken is safe to hand to a capture front end.