InvoanceInvoance
Log inStart free
Developers
Search docs…⌘K
Getting started
OverviewConceptsAuthenticationCreate an API key
API reference
EndpointsErrors
Resources
EventsDocumentsAI AttestationsTraces
SDKs
PythonNode.jscURL
Verification
How it works
Support
API FAQ

Create an API key

A walkthrough for creating your first Invoance API key, setting it as an environment variable, and making an authenticated request. Takes about three minutes.

Already familiar with the key model and just looking for headers and scopes? See Authentication.

Before you start

An Invoance accountSign up at app.invoance.com if you don't have one. The Developer plan is free and includes API access.
Owner or admin roleOnly owners and admins can create API keys for an organization.
A terminal or HTTP clientAnything that can send a request with a Bearer header — curl, Postman, an SDK, your application.

Step 1 — Sign in

Open your dashboard at https://app.invoance.com and sign in.

Step 2 — Open API & Access

From the left sidebar, expand Organization and click API & Access. Or jump straight to:

https://app.invoance.com/dashboard/profile?tab=tokens

Step 3 — Create the key

Click Create key. Fill in:

NameA label only you see. Use environment + purpose, e.g. "production-ingest" or "staging-ci". Helps when you have several keys and need to revoke one without breaking others.
ScopesSelect the minimum scopes the key needs. read for retrieval endpoints, write for ingestion. Granting both is fine for early development; tighten later.
IP allowlist (optional)Restrict the key to specific source IPs if you know your traffic origin. Leave empty during local development.

Click Create.

Step 4 — Copy the key

The key is shown once. There is no way to recover it later.

Invoance stores only a cryptographic hash. If you close the dialog without copying it, the key is gone — you'll have to revoke it and create a new one.

The key looks like:

invoance_live_XXXXXXXXXXXXXXXXXXXXXXXX

Click the copy button. Paste it into your password manager (1Password, Bitwarden, your team vault) right now — not into a text file, not into Slack, not into a commit. If it leaks, revoke it and create a new one.

Step 5 — Set it as an environment variable

Don't paste the key into source code. Export it as an environment variable instead:

macOS / Linux
export INVOANCE_API_KEY=invoance_live_XXXXXXXXXXXXXXXXXXXXXXXX
Windows (PowerShell)
$env:INVOANCE_API_KEY = "invoance_live_XXXXXXXXXXXXXXXXXXXXXXXX"
.env file (project-scoped)
INVOANCE_API_KEY=invoance_live_XXXXXXXXXXXXXXXXXXXXXXXX

Add .env to your .gitignore if it isn't already.

Step 6 — Make your first request

Anchor a test event with curl:

curl
curl -X POST https://api.invoance.com/v1/events \
  -H "Authorization: Bearer $INVOANCE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "event_type": "test.first_event",
    "payload": { "hello": "world" }
  }'

A successful response returns the new event with its event_id, cryptographic hash, and signature. Store the event_id — you'll use it to verify the record later.

Prefer SDKs? See the Python and Node.js guides for the same example with idiomatic clients.

Troubleshooting

401
Unauthorized

The Authorization header is missing, malformed, or the key has been revoked. Confirm the header is exactly Bearer <key> with one space, the key starts with invoance_live_, and the key still appears as Active in the dashboard.

403
Forbidden — insufficient scope

The key authenticated but doesn't have the scope this endpoint requires. Create a new key with the correct scope, or ask an admin to update the existing one.

404
Not found

The endpoint path is wrong, or you're hitting an old environment. Confirm you're using https://api.invoance.com and not a localhost URL from the docs.

429
Rate limit exceeded

You've crossed the per-plan rate limit. The Retry-After header tells you how long to wait. If this happens often, upgrade or contact support.

—
I lost my key

Revoke it from the dashboard (so a leaked copy can't be used) and create a new one. Keys are one-shot reveals by design.

Security checklist

Never commit keysIf a key ever lands in a Git repo, public or private, revoke it immediately. GitHub scans public repos for known token formats and will flag invoance_live_ prefixes.
One key per environmentSeparate production and staging keys. If staging leaks, prod isn't affected.
Rotate after team changesWhen someone leaves, revoke the keys they had access to and issue new ones.
Use IP allowlists in prodIf your traffic comes from known IPs (a backend server, a CI runner), set the allowlist on the key. Stolen keys outside that range are useless.
Treat keys as bearer tokensAPI key requests aren't logged in the dashboard's Activity Log today (that surface tracks org-admin actions like invites, member changes, and domain verification). If you need an audit trail of which key called which endpoint, build it on your side — most teams pipe it through a reverse proxy or APM (Datadog, OpenTelemetry, Sentry).

Related

Authentication

Header formats, key model, scopes, and enforcement details.

Endpoints

Full API reference with request and response schemas.

Errors

HTTP status codes and error code reference.

API FAQ

Common questions about authentication, rate limits, and integration.

Invoance

Neutral digital proof infrastructure for business. Tamper-evident, independently verifiable records.

Subscribe to our newsletter

Products
Platform
How It Works
Developers
Verify
Resources
Help & Legal
Products
  • Event Ledger
  • Document Anchoring
  • AI Attestation
  • Traces
Platform
  • Why Invoance
  • For Compliance Teams
  • For Finance Teams
  • Pricing
How It Works
  • Overview
  • Event Ledger
  • Document Anchoring
  • AI Attestation
Developers
  • Overview
  • Endpoints
  • Authentication
  • Concepts
Verify
  • Verify Document
  • Verify AI Attestation
  • Verify Event
  • Verify Trace
Resources
  • All Resources
  • SOC 2 Guide
  • HIPAA Guide
  • ISO 27001 Guide
Help & Legal
  • Support
  • Status
  • Verification Help
  • FAQ

Invoance provides technical verification and proof infrastructure for digital records. Invoance does not issue legal, financial, or regulatory advice.

Records anchored through Invoance are cryptographically signed and tamper-evident by design. Invoance does not verify the accuracy, legality, or authenticity of document contents, only that a record existed in a specific form at a specific time. Verification links are publicly resolvable and do not require authentication. Invoance does not act as a custodian of funds, a legal authority, or a regulated financial entity. Use of Invoance does not constitute legal compliance. Consult qualified counsel for your specific obligations.

© 2025 – 2026 Invoance, Inc. All rights reserved.••