Provd logo
Documentation
OverviewAPI AccessQuickstartAuthenticationAPI ReferenceChangelog
Docs

Authentication

JWT bearer tokens, API keys, and scope-based access control.

Authentication methods

Provd supports two auth methods:

  1. Bearer JWT (recommended for operator/admin clients)
  2. API key via X-API-Key (recommended for service-to-service calls)

Get a bearer token

Request:

POST /api/v1/auth/token
Content-Type: application/json

{
	"client_id": "provd-dev-client",
	"client_secret": "provd-dev-secret"
}

Response includes:

  • access_token
  • token_type
  • expires_in
  • scopes
  • role

Use it in requests:

Authorization: Bearer <access_token>

API keys

Create and manage API keys through /api/v1/keys (requires key management permissions).

Use them in requests:

X-API-Key: <your_api_key>

Authorization model

Access is controlled by scopes (and optionally role).

Current protected scopes:

  • keys:read — list keys
  • keys:write — create/deactivate keys
  • trust:read — call trust scoring endpoint
  • dispute:analyze — call dispute analysis endpoint

Hashing

When sending identifiers like phone numbers, hash them client-side or in your secure backend environment.

Recommended pattern

  1. Keep raw user identifiers out of browser logs and analytics tools.
  2. Hash phone numbers or bank-account-derived identifiers before transport.
  3. Send only the hashed identifier plus the trade context to Provd.
  4. Rotate API keys on a schedule and scope them by environment.

Related docs