4 credentials. Every API call secured.

CLIENT_ID | USERNAME | API_KEY | CLIENT_SECRET

What Are Veryfi API Keys?

To call the Veryfi API programmatically, every request must carry authentication credentials. These credentials tell Veryfi who you are (CLIENT-ID), that you are authorized (AUTHORIZATION), and optionally that the request has not been tampered with (signature via CLIENT_SECRET). All four credentials live in one place inside your portal.

Where to find keys	app.veryfi.com > Settings > Keys
Who can see keys	Admin users only (non-admins are restricted by default)
Full auth reference	docs.veryfi.com/api/getting-started/authentication

🔑 First time? Create a free account at app.veryfi.com/signup/api and your keys are generated automatically. No credit card required. Learn more

Where to Find Your Keys

Follow these three steps to locate all four credentials:

1	Log in to the Veryfi API Portal Go to app.veryfi.com and sign in. New users can create a free account at app.veryfi.com/signup/api in under two minutes.

2	Navigate to Settings > Keys In the left-hand sidebar, click Settings then select Keys. Direct URL: app.veryfi.com/api/settings/keys

3	Copy all credentials You will see CLIENT_ID, Username, API_KEY- copy each one and store them securely - treat them like passwords.

⚠️ Admin access required: Only Admin-level team members can view or share API Keys. If you cannot see the Keys page, contact your workspace Admin to be granted Admin permissions. Learn more

Credentials Explained

Each credential serves a distinct role.

CLIENT_ID

CLIENT_ID

Header name: CLIENT-ID

Value format: vrfKOMO1x*******pdemo

Identifies your user account. Sent as a request header on every API call.

The CLIENT-ID header tells Veryfi which account is sending the request. It is not secret on its own, but it must always be present alongside the AUTHORIZATION header.

CLIENT-ID: "vrfKOMO1xSEM0AWNtKRpdemo"

USERNAME

USERNAME

Header name: Part of AUTHORIZATION header

Value format: username

Your Veryfi account username.

API_KEY

API_KEY

Header name: Part of AUTHORIZATION header

Value format: b11111111111111111a111111

Your secret API key.

USERNAME and API_KEY are combined into a single Authorization header using the format below:

AUTHORIZATION: "apikey USERNAME:API_KEY"

# Real example:

AUTHORIZATION: "apikey username:b11111111111111111a111111"

CLIENT_SECRET (optional)

CLIENT_SECRET

Header name: Used to generate X-Veryfi-Request-Signature

Value format: Your private signing secret (shown once in the portal)

A private key known only to you and the Veryfi server. Used to sign POST request payloads with HMAC-SHA256 so Veryfi can verify the request was not tampered with in transit.

When you send a POST request, you encode the payload and a Unix timestamp using CLIENT_SECRET as the HMAC-SHA256 signing key. The resulting base64 signature goes in the X-Veryfi-Request-Signature header. Veryfi's server independently computes the same signature and compares them. If they match, the request is valid.

💡 Good news: When you use an official Veryfi SDK, the signing is handled automatically. You just pass CLIENT_SECRET to the SDK constructor and all signatures are generated for you. Learn more

How the Signature Works

The two signature-related headers required on signed requests are:

X-Veryfi-Request-Signature: "<base64 HMAC-SHA256 of payload+timestamp>"

X-Veryfi-Request-Timestamp: "<Unix timestamp in milliseconds>"

The signing flow in plain English:

Build the payload string: Concatenate timestamp and request body fields into a canonical string.
Sign it: Run HMAC-SHA256 using CLIENT_SECRET as the key.
Encode it: Base64-encode the raw bytes.
Send it: Include the encoded value in X-Veryfi-Request-Signature. Signatures expire after 30 minutes.

Python example (manual signing):

import base64, calendar, datetime, hashlib, hmac

dt = datetime.datetime.utcnow()
timestamp_ms = calendar.timegm(dt.utctimetuple()) * 1000
client_secret = "YOUR_CLIENT_SECRET"

payload_str = f"timestamp:{timestamp_ms}"
sig = hmac.new(
    bytes(client_secret, 'utf-8'),
    msg=bytes(payload_str, 'utf-8'),
    digestmod=hashlib.sha256
).digest()
signature = str(base64.b64encode(sig), 'utf-8').strip()

📚 Full code samples: JavaScript, Python, Java, and Bash signing examples are in the Authentication docs. Learn more

Putting It All Together

Here is a complete request showing all headers assembled correctly:

POST https://api.veryfi.com/api/v8/partner/documents/

Headers:
CLIENT-ID:                    vrfKOMO1*****NtKRpdemo
AUTHORIZATION:                apikey username:b11111111111111111a111111
  X-Veryfi-Request-Timestamp:   1710000000000
  X-Veryfi-Request-Signature:   <your HMAC-SHA256 base64 signature>
  Content-Type:                 application/json

Body:
  { "file_url": "https://cdn.veryfi.com/receipts/sample.jpg" }

All Headers at a Glance

Header Name	Required?	Purpose
CLIENT-ID	Always	Identifies your account
AUTHORIZATION	Always	Authenticates the calling user via apikey USERNAME:API_KEY
X-Veryfi-Request-Signature	Optional	HMAC-SHA256 signature proving request integrity
X-Veryfi-Request-Timestamp	Optional	Unix timestamp in ms; signature expires after 30 min
Content-Type	POST/PUT/PATCH	Set to application/json for JSON body requests

APIs and URLs

One set of API keys works across all Veryfi APIs.

The same CLIENT_ID, USERNAME, API_KEY you use for Receipts and Invoices will also authenticate requests to Checks, W-9s, Bank Statements, and every other endpoint. You do not need separate credentials per document type.

If your use cases need to be isolated from each other (for example, separate teams, clients, or billing buckets), we can provision additional profiles on your account. Each profile gets its own independent set of keys. Reach out to support@veryfi.com to set this up.

Key Security & Permissions

Admin-Only Access

API Keys are treated as company-sensitive information. A compromised key can lead to data breaches, unauthorized document access, and unexpected usage charges.

Managing My Team Workspace - how to assign Admin roles
Admin Permissions Guide - granular permission management

Key Rotation

Rotating your API Key (regenerating it) invalidates the old key immediately. All integrations using the old key will stop working until updated with the new key.

✅ Best practice: Always rotate your API Key before going live in production and on a regular schedule (e.g. every 90 days) as part of your security hygiene. Learn more

When to rotate your key:

Before going live (production launch)
After any suspected credential exposure
When a team member with Admin access leaves the organization
As part of a scheduled periodic security review
How to Rotate API Keys - step-by-step rotation guide.

Security Best Practices

🔒	Never commit keys to source control. Use environment variables or a secrets manager (e.g. AWS Secrets Manager, HashiCorp Vault, or .env files excluded via .gitignore).
🔒	Use the CLIENT_SECRET signature. Signing requests prevents replay attacks and request tampering in transit.
🔒	Restrict key access in your team. Only grant Admin permissions to people who genuinely need API key access.
🔒	Monitor your usage. Check Usage Analytics regularly for unexpected spikes that could indicate a compromised key.
🔒	Set up Duplicate Spike Alerts. Get notified if unusual submission volumes are detected.

Quick Reference

Resource	Link
API Keys page	app.veryfi.com/api/settings/keys
Authentication docs	docs.veryfi.com/api/getting-started/authentication
Interactive API explorer	docs.veryfi.com > Interactive API (top nav)
Rotate keys guide	faq.veryfi.com - How to Rotate API Keys
SDK downloads	docs.veryfi.com/api/getting-started/sdks
Manage team/permissions	faq.veryfi.com - Managing My Team Workspace
CLIENT_SECRET explainer	faq.veryfi.com - What is CLIENT_SECRET
Signup (free)	app.veryfi.com/signup/api
UIPath example project	app.veryfi.com/api/uipath-example-project
Email support	support@veryfi.com

Questions? Email support@veryfi.com or chat live at app.veryfi.com

API Documentation

Webhooks and Asynchronous Processing

What is CLIENT_SECRET?

Getting Started Guide