Authentication

The Attestation API authenticates Relying Parties with API keys. Every request to /api/* must carry a valid key — unauthenticated requests are rejected before reaching any business logic.

API key format

API keys have the form:

xma_[random-key]

Sending the key

Pass the key in the X-Api-Key HTTP header on every request:

Example request
POST /api/v1/attestation/init HTTP/1.1
Host: attestation.example.com
Accept: application/json
X-Api-Key: xma_SampleKey

CURL
curl https://attestation.example.com/api/v1/attestation/init \
  --request POST \
  --header 'Accept: application/json' \
  --header 'X-Api-Key: xma_SampleKey'

The header name is case-insensitive but X-Api-Key is the canonical form used in examples and SDKs.

Authentication failures

Condition	Response
Missing `X-Api-Key` header	`401 Unauthorized`
Header present but key invalid, unknown, or revoked	`403 Forbidden`

Failure responses do not disclose why authentication failed — clients see a generic 401 or 403 regardless of whether the key was missing, malformed, or revoked. The reason is recorded in server-side logs for the operator to investigate.

Obtaining a key

API keys are issued by the operator of the Attestation API deployment. Actual keys are not stored anywhere in the Attestation API environment.

API key format​

Sending the key​

Authentication failures​

Obtaining a key​

API key format

Sending the key

Authentication failures

Obtaining a key