Transcom Group Veritus

API keys

API keys authenticate server-side requests to /v1/score. The browser-side widget doesn't need a key — it authenticates by form UUID + origin instead.

Issuing a key

API keys → fill in name and mode → Issue key. The full plaintext token appears in an amber banner at the top of the page. Save it now — we never show it again.

Token format

Keys are vt_<mode>_<43chars>:

  • vt_live_… — production calls, counts toward quota
  • vt_test_… — sandbox; checks are logged but not counted toward quota

Test keys are useful for staging environments and CI. We tag test-mode checks separately in the audit log so you can tell test traffic from real.

Revoking a key

Click revoke next to the key in the list. The key stops working immediately — requests using it get 401 Unauthorized. Revocation is permanent; you can't un-revoke a key.

Security best practices

  • Never put keys in browser code, JS bundles, or mobile app binaries
  • Use environment variables or a secret manager, not config files in version control
  • Issue one key per service/environment so you can rotate independently
  • Revoke and reissue if a key is exposed (Git push, log file, screenshot, etc.)
  • Production and dev should use different keys

When keys leak

Email hello@veritus.uk and we'll help you audit usage. Revoke the leaked key in your dashboard, issue a fresh one, and deploy the new value. Veritus stores the SHA-256 hash of each key, never the plaintext — so even if our database leaks, your keys can't be reverse-engineered.

Found a typo or have a suggestion? Let us know.