Authentication

Secure your API requests with proper authentication.

Authentication

Secure your LoomAPI requests using API keys. All API requests require authentication to ensure security and proper usage tracking.

API Keys

Your API key is your credential for accessing LoomAPI services. Keep it secure and never expose it in client-side code.

Getting Your API Key

  1. Sign up for a LoomAPI account at dashboard.loomapi.com
  2. Navigate to the API Keys section
  3. Click Create New Key
  4. Give your key a descriptive name (e.g., "Production App", "Development")
  5. Copy the generated key and store it securely

Key Types

  • Production Keys: For live applications with rate limits and billing
  • Test Keys: For development and testing (no billing, limited features)

Authentication Methods

Bearer Token (Recommended)

Include your API key in the Authorization header using the Bearer scheme:

curl -X POST https://api.loomapi.com/v1/verify \
  -H "Authorization: Bearer your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{"document_type": "passport", "document_data": "base64_data"}'

API Key Header

Alternatively, you can use the X-API-Key header:

curl -X POST https://api.loomapi.com/v1/verify \
  -H "X-API-Key: your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{"document_type": "passport", "document_data": "base64_data"}'

Security Best Practices

🔐 Key Storage

  • Environment Variables: Store keys in environment variables, not in code
  • Secret Management: Use services like AWS Secrets Manager or HashiCorp Vault
  • Never in Version Control: Add API keys to .gitignore
# .env file
LOOM_API_KEY=your_api_key_here

# .env.example (committed to git)
LOOM_API_KEY=your_api_key_here

🔄 Key Rotation

  • Rotate keys regularly (recommended: every 90 days)
  • Use different keys for different environments
  • Revoke compromised keys immediately

🚨 Common Mistakes to Avoid

  • Don't log API keys in application logs
  • Don't send keys over unsecured connections (always use HTTPS)
  • Don't embed keys in client-side JavaScript or mobile apps
  • Don't share keys between team members or applications

Authentication Errors

If authentication fails, you'll receive a 401 Unauthorized response:

{
  "request_id": "req_1234567890",
  "error": {
    "code": "AUTH_INVALID_KEY",
    "message": "The provided API key is invalid or expired"
  }
}

Common Authentication Issues

  • Key Format: Ensure the key is correctly formatted (should start with loom_)
  • Key Status: Check if the key is active in your dashboard
  • Environment: Verify you're using the correct key for your environment
  • Permissions: Some keys may have restricted permissions

Test Authentication

Test your authentication setup with a simple request:

curl -X GET https://api.loomapi.com/v1/status \
  -H "Authorization: Bearer your_api_key_here"

You should receive:

{
  "status": "ok",
  "timestamp": "2024-01-15T10:30:00Z"
}

Need Help?

If you're having trouble with authentication:

  1. Check your dashboard for key status
  2. Verify the key format and header syntax
  3. Test with our status endpoint
  4. Contact support@loomapi.com if issues persist
Previous
Getting Started
Next
Rate Limits