Authentication and API Key management
How Truework Authenticates API requests
Truework authenticates requests to our API using API Keys and Publishable Keys. If the required authentication token is not included with a request or is revoked, the request will return an error.
API Keys are generated using Python’s built-in secrets library, which ensures cryptographic randomness of the produced bytes used in the API key. The number of bytes used in generating the API key is guaranteed to be at least 32 random bytes, though this number may increase without notice in the future.
An API Key is used to create verification requests, view the results of completed reports, cancel a verification request, and create internal API dashboards. API Keys should be kept secret, and should not be checked into version control. If you suspect an API key has been compromised, you should revoke that API key and immediately create a new one.
For those using the Truework Direct order endpoint, a Publishable Key is also required. A Publishable Key is used to initialize the Truework.js widget and support co-branding. This key type is not meant to be secret. This means you can safely include the Publishable Key in public facing code, like Javascript/HTML.
API and Publishable Key management
Creating an API key
To create an API key:
- Navigate to developer settings in the Truework app
- Under the “API” header scroll down to the “Sandbox” or “Production” card, depending on the environment you are generating the key for, and expand the API Key section by clicking the “Edit” button.
- Optionally, enter a description for the key, and click “Generate”.
The API key you created will appear in the card as a urlsafe string that begins with the prefix tw_sk_test_
in Sandbox tw_sk_
in Production.
Creating a Publishable key
To create a Publishable key:
- Navigate to developer settings in the Truework app
- Under the “Publishable Key” header scroll down to the “Sandbox” or “Production”card, depending on the environment you are generating the key for, and expand the Publishable Key section by clicking the “Edit” button.
- Optionally enter a description for the key, and click “Generate”.
The API key you created will appear in the card above.
Revoking an API or Publishable Key
To revoke an API or Publishable Key, simply click the “Revoke” button next to the key you wish to revoke. Make sure your key is not in use before revoking it, as any request using the key will return errors once it is revoked and there’s no way to undo this action.
Have questions?
Not a problem. Email us at implementations@truework.com.