API Authentication & Access Control

Environment Configuration

Ensure you are using appropriate credentials per environment. Tokens and session IDs are not transferable across environments.

Environment	Base URL
UAT (Testing)	https://uat.api.privateid.com
Prod (Live)	https://api.privateid.com

Credential Requirements

Every API call must include the following headers to ensure correct billing and strong mutual authentication:

x_api_key:
- Purpose: Authenticates the client making requests to PrivateID.
- Nature: Confidential.
clientID:
- Purpose: Public identifier for the client.
clientSecret (or SLC):
- Purpose: Confidential secret used to cryptographically sign requests and ensure non-repudiation.
- Storage & Usage: Must be stored securely (e.g., in an HSM) and never exposed in client-side code.

Example Request Header:

  {
  "x_api_key": "YOUR_API_KEY",           // Billing identifier; public.
  "clientID": "YOUR_CLIENT_ID",         // Public identifier for the client
  "clientSecret": "YOUR_CLIENT_SECRET", //  Confidential secret used to cryptographically sign requests and ensure non-repudiation
  }

Note: All communications must occur over TLS to protect the confidentiality and integrity of the transmitted credentials.

Additional Security Metadata

To enhance request auditing and integrity verification, clients may also include the following optional headers:

X-Device-Info: JSON-encoded metadata about the client device (e.g., OS version, hardware model).
X-Request-ID: A unique identifier for the request, aiding in traceability and debugging.
X-Timestamp: A UNIX timestamp to prevent replay attacks.