Authentication

Pass your key in the Authorization header:

Authorization: Bearer vsk_live_550e8400...

Never pass keys in query parameters — URLs are logged and cached.

• Live keys (vsk_live_*) — Production. Real checks. Billed.
• Test keys (vsk_test_*) — Sandbox. Mock results. Free.

1. Go to Dashboard → API Keys → click Rotate on the key
2. A new key is created and returned. Copy it immediately.
3. The old key stays active for 24 hours (grace period).
4. Update your application to use the new key.
5. After 24 hours, the old key is automatically revoked.

• Never expose API keys in client-side code or browser requests.
• Never commit keys to version control.
• Use environment variables to store keys.
• Rotate keys immediately if you suspect compromise.
• Use separate keys for production and development.