Reference
Authentication
Every API request must include an account-scoped bearer token. Keys are issued from the dashboard, hashed with SHA-256 at rest, and can be revoked instantly.
Bearer token
header
Authorization: Bearer tr_live_a1b2c3d4e5f6...- Keys are prefixed
tr_live_followed by 48 hex characters. - The plaintext key is shown once at creation time. Store it in a secret manager — we cannot recover it.
- Only the SHA-256 hash and a short prefix (for UI labelling) are persisted server-side.
Examples
curl
curl https://trustregistryapi.com/api/v1/search?name=acme&state=TX \
-H "Authorization: Bearer $TRUSTREGISTRY_KEY"javascript
await fetch("https://trustregistryapi.com/api/v1/verify", {
method: "POST",
headers: {
Authorization: `Bearer ${process.env.TRUSTREGISTRY_KEY}`,
"Content-Type": "application/json",
},
body: JSON.stringify({ business_name: "Acme Co", state: "TX" }),
});Managing keys
Create, label, and revoke keys from Dashboard → API Keys. Revocation is immediate — the next request authenticated with that key returns 401 unauthorized.
Rotation: create a new key, deploy it, then revoke the old one. Multiple active keys per account are supported, which lets you rotate without downtime.
Failure modes
| Status | Code | Cause |
|---|---|---|
| 401 | unauthorized | Missing Authorization header |
| 401 | unauthorized | Malformed token (must start with tr_live_) |
| 401 | unauthorized | Key not found or revoked |