Documentation menu
Authentication
Understand API key and tenant admin JWT boundaries.
sanctions.tr uses two authentication models. Their permission scopes are not interchangeable.
Public search
Recommended header:
x-api-key: sak_xxx
Alternative header:
Authorization: ApiKey sak_xxx
Domain, IP, source, daily/monthly usage and maximum page-size policies may be applied to an API key.
Tenant reports
Search log and API key log endpoints require a tenant admin JWT:
Authorization: Bearer <token>
This token is not a customer backend integration key. Reports return records only for the authenticated institution.
Secret lifecycle
- A plain API key is displayed only when it is created.
- Restrict the key by purpose, source and IP where possible.
- Disable and rotate a key if exposure is suspected.
- Redact
Authorization,x-api-key, cookies and tokens from logs.
Decision boundary
An API result is a candidate match. A final sanctions or compliance decision requires official-source verification and human review.