All of our API requests are authenticated by providing your API key in the headers.
API users NOT using the iPhone device will need to verify the provenance of the data returned by our API. This is to prevent man-in-the-middle and other attacks.
To do so they will receive a signature over the encoding of the some of the returned data (depends on the request)
To verify they will need to use TrustVault’s public key for the environment they are in:
This keys can also be found on our postman docs
You can verify our Production Public Key by querying the provenance-public-key.trustology.io dns TXT record.
This can be done using a command line tool like dig.
dig provenance-public-key.trustology.io TXT
Do not hard code your key in scripts or config files. We recommend you use products like AWS Key Management Service to safely manage your keys.