Authenticatication
The following guide demonstrates how to properly authenticate API.
All Enterprise API endpoints require secure authentication. Use API keys for programmatic access; multi-factor sign-in is recommended for console access.
Headers
HTTP headers are key-value pairs sent with API requests that provide metadata about the request. In authentication, headers carry credentials like API keys. covosign supports two header formats: a custom 'X-API-Key' header for direct key inclusion, and the standard 'Authorization: Bearer' header commonly used in REST APIs. The custom header is recommended for its clarity and security in server-side applications.
Custom Header (Recommended)
Use for server-to-server calls. Keep keys secret and scoped.
X-API-Key: csk_live_...
Standard Header
Bearer tokens are supported for clients that prefer standard auth headers.
Authorization: Bearer csk_live_...
Authentication Flow
API key is recognized and active. Request proceeds to business logic.
API key missing, invalid, or expired. Returns 401 Unauthorized.
Client Implementation
Implementing authentication in your client code involves setting the appropriate headers in HTTP requests. The examples below show how to construct headers in popular programming languages. Note that the API key should be stored securely (e.g., in environment variables) and never hardcoded or exposed in client-side code. The 'Content-Type' header specifies the format of the request body, typically JSON for API calls.
- Node.js
- Python
- Java
- Bash
const headers = {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json'
};
headers = {
"Authorization": f"Bearer {self.api_key}",
"Content-Type": "application/json"
}
HttpHeaders headers = new HttpHeaders();
headers.set("Authorization", "Bearer " + apiKey);
headers.set("Content-Type", "application/json");
curl -H "Authorization: Bearer ${API_KEY}" \
-H "Content-Type: application/json" \
https://api.covosign.com/api/v1/endpoint