All of our API requests are authenticated by providing your API key in the headers.

"x-api-key": "your-key-here"

Verifying Provenance

API users NOT using the iPhone device will need to verify the provenance of the data returned by our API. This is to prevent man-in-the-middle and other attacks.

To do so they will receive a signature over the encoding of the some of the returned data (depends on the request)

To verify they will need to use TrustVault’s public key for the environment they are in:

Production Public Key


Sandbox Public Key


This keys can also be found on our postman docs

You can verify our Production Public Key by querying the dns TXT record.
This can be done using a command line tool like dig.

dig TXT

Example JavaScript code on verifying provenance for some requests will be given soon

Safely Storing your Instruction Key

Do not hard code your key in scripts or config files. We recommend you use products like AWS Key Management Service to safely manage your keys.