Developer centerv1.0.0
Documentation menu
Getting started

Authentication

Understand API key and tenant admin JWT boundaries.

sanctions.tr uses two authentication models. Their permission scopes are not interchangeable.

Recommended header:

x-api-key: sak_xxx

Alternative header:

Authorization: ApiKey sak_xxx

Domain, IP, source, daily/monthly usage and maximum page-size policies may be applied to an API key.

Tenant reports

Search log and API key log endpoints require a tenant admin JWT:

Authorization: Bearer <token>

This token is not a customer backend integration key. Reports return records only for the authenticated institution.

Secret lifecycle

  • A plain API key is displayed only when it is created.
  • Restrict the key by purpose, source and IP where possible.
  • Disable and rotate a key if exposure is suspected.
  • Redact Authorization, x-api-key, cookies and tokens from logs.

Decision boundary

An API result is a candidate match. A final sanctions or compliance decision requires official-source verification and human review.