Authentication
All Surt API calls require an API key for authentication.
Getting Your API Key
- Log in to your Surt Dashboard
- Navigate to Settings → Developer
- Copy your API key
Using Your API Key
Pass your API key in the Authorization header of every API request:
Authorization: Bearer YOUR_API_KEY
Example:
cURL
curl --location 'https://api.surt.com/faceguard/session/portal' \
--header 'Authorization: Bearer YOUR_API_KEY' \
--header 'Content-Type: application/json' \
--data-raw '{
"workflow_id": "YOUR_WORKFLOW_ID",
"customer": {
"customer_id": "user_123"
}
}'
Workflow ID
In addition to your API key, you need a workflow_id to create verification sessions:
- In your dashboard, go to FaceGuard → Workflows
- Create a workflow or use the default one
- Copy the
workflow_id
The workflow defines the verification configuration for your users (liveness tier, bypass policies, etc.).
Token Types
FaceGuard uses three token types:
| Token | Created by | Used by | Purpose |
|---|---|---|---|
| API Key | Dashboard | Your backend | Authenticate API calls |
| Portal Token | POST /faceguard/session/portal | Your frontend | Initialize FaceGuard (30 min expiry) |
| Session Token | POST /faceguard/session | FaceGuard app internally | Authenticate session operations |
Your backend uses the API key to create portal tokens. Your frontend passes the portal token to FaceGuard. Session tokens are managed internally by FaceGuard.
Environments
| Environment | Base URL |
|---|---|
| Production | https://api.surt.com |
warning
Keep your API key secret. Never expose it in client-side code. All API calls should be made from your backend.