Authentication
All /v1/score requests require a Bearer token in the
Authorization header. The widget endpoint uses a different
scheme (form UUID).
Header format
Authorization: Bearer vt_live_2eAOlvGCD_sKwAAeIUGqVMI-18SouVKKm6jIWFoJcHgKey prefixes
vt_live_— production keys. Score requests count toward your monthly quota.vt_test_— sandbox keys. Scoring works the same, but checks don't count toward quota and are taggedmode: 'test'in your dashboard.
Error responses
| Status | Body detail | Meaning |
|---|---|---|
| 401 | missing_authorization | No Authorization header |
| 401 | invalid_authorization | Header present but malformed |
| 401 | invalid_api_key | Key doesn't match any active key |
| 403 | customer_inactive | Customer account suspended/closed |
| 402 | quota_exceeded | Monthly check quota reached |
Best practice
- Store keys in environment variables, not source code
- Use a different key per service so you can revoke independently
- Never log the full Authorization header
- Rotate keys quarterly even if you don't suspect compromise
Found a typo or have a suggestion?
Let us know.