Authentication

Learn how to authenticate your API requests to ConsentProof.

Overview

ConsentProof uses API key authentication for all API requests. Each request must include your API key and secret in the request headers.

API Key

Public identifier for your application

API Secret

Private key for signing requests

Creating API Keys

To create an API key:

  1. Log in to your ConsentProof dashboard
  2. Navigate to Settings → API Keys
  3. Click Create New Key
  4. Give your key a descriptive name (e.g., "Production Server")
  5. Copy both the API key and secret immediately

Important Security Notice

Your API secret is only shown once when created. Store it securely immediately. If you lose it, you'll need to create a new API key.

Making Authenticated Requests

ConsentProof uses HMAC SHA-256 signatures for authentication. Every request requires three headers:

Required Headers

HeaderDescriptionRequired
X-API-KeyYour API key from the dashboard
X-TimestampCurrent Unix timestamp in milliseconds
X-SignatureHMAC SHA-256 signature of the request
Content-TypeMust be application/json

Signature Generation

To generate the signature, create a payload string and sign it with HMAC SHA-256:

Generate signaturejavascript
const crypto = require('crypto');

const method = 'POST';  // HTTP method (uppercase)
const path = '/api/v1/policies';  // Request path
const timestamp = Date.now().toString();  // Current timestamp
const body = JSON.stringify({ ... });  // Request body (or empty string for GET)

// Create payload: METHOD|PATH|TIMESTAMP|BODY
const payload = `${method}|${path}|${timestamp}|${body}`;

// Sign with HMAC SHA-256
const signature = crypto
  .createHmac('sha256', apiKey)
  .update(payload)
  .digest('hex');

Complete Example

Authenticated requestjavascript
const crypto = require('crypto');
const axios = require('axios');

const apiKey = 'your_api_key_here';
const method = 'GET';
const path = '/api/v1/policies';
const timestamp = Date.now().toString();
const body = '';  // Empty for GET requests

const payload = `${method}|${path}|${timestamp}|${body}`;
const signature = crypto
  .createHmac('sha256', apiKey)
  .update(payload)
  .digest('hex');

axios.get('https://api.consentproof.io/api/v1/policies', {
  headers: {
    'Content-Type': 'application/json',
    'X-API-Key': apiKey,
    'X-Timestamp': timestamp,
    'X-Signature': signature
  }
}).then(res => console.log(res.data));

Authentication Errors

If authentication fails, you'll receive one of these error responses:

401Unauthorized

Missing or invalid API key/secret

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid API key or secret"
  }
}
403Forbidden

API key doesn't have permission for this action

{
  "success": false,
  "error": {
    "code": "FORBIDDEN",
    "message": "API key does not have permission for this action"
  }
}

Security Best Practices

  • Use environment variables

    Never hardcode API keys in your source code

  • Rotate keys regularly

    Create new keys and revoke old ones periodically

  • Use separate keys per environment

    Create different keys for development, staging, and production

  • Never expose keys in client-side code

    API calls should always be made from your server