Invoance

Loading…

Invoance
Get access

Developer Docs

Authentication

The Invoance API uses organization-scoped API keys to authenticate requests. Keys are hashed before storage — plaintext is never persisted after issuance.

API keys

All protected endpoints require a valid API key passed as a Bearer token. Keys are scoped to a single organization and grant access based on their assigned scope.

Authorization header
Authorization: Bearer invoance_live_XXXXXXXXXXXXXXXXXXXXXXXX

# Alternative header (both accepted — only one required)
X-API-Key: invoance_live_XXXXXXXXXXXXXXXXXXXXXXXX
Key format
invoance_live_XXXXXXXXXXXXXXXXXXXXXXXX
OpaqueKeys are randomly generated and contain no derivable information about the tenant or scope.
Hashed at restThe plaintext key is shown once at creation. Invoance stores only a secure hash — it cannot be recovered.
Non-transferableKeys are bound to a single organization. They cannot be used across tenants.
Immediately revocableRevoked keys are rejected on the next request with no propagation delay.
Scopes

Each API key is assigned one or more scopes at creation time. Requests using a key without the required scope are rejected with 403 Forbidden.

readRequired for all retrieval endpoints. Allows fetching ledger entries, attestations, and event records.
GET /v1/document/:idGET /ai/attestations/:idGET /v1/events/:id
writeRequired for all ingestion endpoints. Allows anchoring documents, creating attestations, and recording events.
POST /v1/document/anchorPOST /ai/attestationsPOST /v1/events
Enforcement
HTTPS onlyAll requests must be made over HTTPS. Plain HTTP is rejected immediately.
Org-scopedKeys are scoped to a single organization. Cross-tenant access is not possible.
Immediate revocationRevoked or inactive keys are rejected on the next request with no cache delay.
IP allowlistingOptional per-key IP allowlists can be configured from the dashboard.
Rate limitingAll API key requests are subject to per-plan rate limits. Exceeded limits return 429.
Unauthenticated endpoints

Public verification endpoints do not require an API key. These endpoints are read-only, rate-limited, and designed for independent third-party verification of anchored records.

# No authentication required
GET https://invoance.com/proof/{event_id}
GET https://invoance.com/proof/ai/{attestation_id}
GET https://invoance.com/.well-known/invoance-platform-key
Related
Endpoints

Full API reference with request and response schemas.

Errors

HTTP status codes and error code reference.