Authentication

The IdentityCall API uses API keys to authenticate requests. This guide covers how to create, manage, and use API keys securely.

How API Keys Work

API keys are long-lived credentials that identify your application when making API requests. Each key:

Is tied to a specific account
Has configurable permissions (read, write, delete)
Can be scoped to a specific project
Tracks usage for auditing
Can be revoked at any time

Creating an API Key

Via the Dashboard

Log in to the IdentityCall Dashboard
Navigate to Settings → API Keys
Click Create New API Key
Configure the key:
- Name: A descriptive name (e.g., “Production Backend”, “Analytics Service”)
- Permissions: Select which operations the key can perform
- Project Scope: Optionally limit the key to a specific project
- Expiration: Set an expiry date (optional)
Click Create Key

Important: Copy your API key immediately after creation. For security reasons, the full key is only shown once and cannot be retrieved later.

API Key Format

API keys follow this format:


idc_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Prefix: idc_ (identifies it as an IdentityCall key)
Random: 32 alphanumeric characters

Using Your API Key

Include your API key in the Authorization header with the Bearer prefix:

cURL


curl -X GET "https://api.identitycall.com/api/v1/public/recordings" \
  -H "Authorization: Bearer idc_your_api_key_here"

Python


import requests
import os
 
API_KEY = os.environ.get("IDENTITYCALL_API_KEY")
 
headers = {
    "Authorization": f"Bearer {API_KEY}"
}
 
response = requests.get(
    "https://api.identitycall.com/api/v1/public/recordings",
    headers=headers
)

Node.js


const API_KEY = process.env.IDENTITYCALL_API_KEY;
 
const response = await fetch(
  'https://api.identitycall.com/api/v1/public/recordings',
  {
    headers: {
      'Authorization': `Bearer ${API_KEY}`
    }
  }
);

PHP


<?php
$apiKey = getenv('IDENTITYCALL_API_KEY');
 
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => "https://api.identitycall.com/api/v1/public/recordings",
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        "Authorization: Bearer $apiKey"
    ]
]);
$response = curl_exec($ch);

Ruby


require 'net/http'
 
API_KEY = ENV['IDENTITYCALL_API_KEY']
 
uri = URI('https://api.identitycall.com/api/v1/public/recordings')
request = Net::HTTP::Get.new(uri)
request['Authorization'] = "Bearer #{API_KEY}"
 
response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  http.request(request)
end

Permissions

API keys have three permission levels that control what operations they can perform:

Permission	Description	Endpoints
Read	View recordings and results	`GET /recordings`, `GET /recordings/:id`, `GET /recordings/:id/transcription`, etc.
Write	Create and update recordings	`POST /recordings`, `PATCH /recordings/:id`
Delete	Remove recordings	`DELETE /recordings/:id`

Permission Combinations

Choose permissions based on your use case:

Use Case	Read	Write	Delete
Analytics dashboard	✓
Backend service (upload + read)	✓	✓
Full access	✓	✓	✓
Upload only		✓

Error Responses

If you lack the required permission:


{
  "error": "Read permission required"
}

Status code: 403 Forbidden

Project Scoping

API keys can be scoped to a specific project:

Account-wide: Key can access recordings from all projects in your account
Project-scoped: Key can only access recordings from one specific project

Project-scoped keys are recommended for production environments to limit the blast radius if a key is compromised.

Security Best Practices

Store Keys Securely

Never hardcode API keys in your source code. Use environment variables or a secrets manager:


# .env file (not committed to git)
IDENTITYCALL_API_KEY=idc_your_api_key_here

Add .env to your .gitignore:


# .gitignore
.env
.env.local

Use Minimal Permissions

Follow the principle of least privilege:

Only grant the permissions your application actually needs
Use read-only keys for analytics and monitoring
Use project-scoped keys in production

Rotate Keys Regularly

Regenerate API keys periodically to limit exposure from potential leaks:

Go to Settings → API Keys
Click Regenerate on the key you want to rotate
Update your application with the new key
The old key is immediately invalidated

Set Expiration Dates

For temporary integrations or contractors:

Set an expiration date when creating the key
The key will automatically become invalid after that date
You’ll receive a notification before expiration

Monitor Usage

Track API key usage to detect anomalies:

Check the Usage tab in your dashboard
Set up alerts for unusual patterns
Review which endpoints are being accessed

Error Handling

Invalid or Missing Key


{
  "error": "Invalid or expired API key"
}

Status code: 401 Unauthorized

Causes:

API key is missing from the request
API key format is incorrect
API key has been revoked
API key has expired

Rate Limiting


{
  "error": "Rate limit exceeded",
  "retry_after": 60
}

Status code: 429 Too Many Requests

Solution: Wait for the time specified in retry_after (seconds) before retrying.

Managing Keys

Revoking a Key

If a key is compromised:

Go to Settings → API Keys
Click Revoke on the compromised key
The key is immediately invalidated
Create a new key if needed

Viewing Key Usage

Each key tracks:

Last used timestamp
Total requests
Requests by endpoint
Error rates

Access this in Settings → API Keys → View Usage.

Next Steps

Install and configure language SDKs

SDK Setup

Explore available endpoints

API Reference