Authentication
The Verts API supports two authentication methods depending on your use case.
API Keys (Recommended for Backend Services)
API keys are the recommended authentication method for server-to-server integrations. They provide secure, long-lived access to the API.
Creating an API Key
- Log in to your Verts Dashboard
- Navigate to Settings → API Keys
- Click Create API Key
- Give your key a descriptive name
- Copy and securely store the key (it won't be shown again)
Using API Keys
Include your API key in the Authorization header as a Bearer token:
curl https://api.verts.dev/v1/account \
-H "Authorization: Bearer verts_key_xxx..."
API Key Best Practices
- Never expose keys in client-side code - API keys should only be used server-side
- Use separate keys for different environments - Create distinct keys for development, staging, and production
- Rotate keys periodically - Delete old keys and create new ones regularly
- Set descriptive names - Make it easy to identify which key is used where
Managing API Keys
You can manage your API keys through the API Keys endpoint:
- List API Keys - View all your API keys
- Create API Key - Generate a new key
- Delete API Key - Revoke a key
OAuth (For User Sessions)
OAuth authentication is used for browser-based applications where users log in with their Verts account or a third-party provider like Google.
Supported Providers
- Google - Sign in with Google account
- Email/Password - Traditional email and password authentication
OAuth Flow
- Redirect users to the OAuth login endpoint
- Users authenticate with their chosen provider
- A JWT access token is stored in an HTTP-only cookie
- Subsequent requests are authenticated automatically via the cookie
OAuth Endpoints
- Login - Email/password authentication
- OAuth Login - Initiate OAuth flow
- Get Current User - Get authenticated user info
- Logout - End the current session
- Refresh Token - Refresh an expired access token
Security Considerations
Rate Limiting
Authentication endpoints are rate-limited to prevent brute force attacks. See Rate Limiting for details.
Token Expiration
- Access tokens expire after 1 hour
- Refresh tokens expire after 7 days
- Use the Refresh Token endpoint to get new access tokens
Revoking Access
- API Keys: Delete the key from the dashboard or via API
- OAuth Sessions: Use the Logout All endpoint to revoke all sessions