Authentication

AltFiScore uses bearer-token authentication via API keys. Every request to the AltFiScore API must include a valid key in the Authorization header.

API key format

Every AltFiScore API key follows a predictable structure that makes it easy to spot at a glance — whether you're reviewing code or scanning logs.

key structure

altfi_<env>_<random-secret>

# Examples
altfi_test_DemoKey1234567890abcdefghijklmn   # sandbox
altfi_live_aBc7xYzPq3rStUvWxYz123456789abc   # production

altfi_test_* — sandbox keys, free, never bill, fully isolated from production data
altfi_live_* — production keys, real decisions against real consumers

Production keys are never reversible

AltFiScore stores only a SHA-256 hash of every key. The full key is shown once at creation. If you lose a key, you can't recover it — only generate a new one and rotate.

Bearer token header

Send your API key as a bearer token in the standard Authorization header:

HTTP header

Authorization: Bearer altfi_test_DemoKey1234567890abcdefghijklmn

Calls without an Authorization header — or with an invalid/revoked key — return HTTP 401 Unauthorized:

401 Unauthorized

{
  "error": "invalid_api_key",
  "message": "The API key provided is invalid, expired, or revoked."
}

Sandbox vs live environments

Every tenant has two completely isolated environments. Sandbox keys can only access sandbox data; live keys can only access production data. There is no cross-environment leak.

When to use sandbox

Local development
Integration tests in CI
Staging environments
Any time you don't want a real consumer scored

When to use live

Production traffic from real customers
End-to-end staging tests that intentionally hit production infrastructure

Sandbox is free, forever

Sandbox decisions don't count toward your billing volume. Test as much as you want. The decision engine, response shape, and timing are identical to production.

Key rotation

AltFiScore recommends rotating production keys at least every 90 days. You can hold multiple active keys simultaneously, which makes zero-downtime rotation straightforward:

Generate a new live key in the lender portal
Deploy the new key to your application
Confirm traffic is using the new key (check API Logs in the lender portal — the key prefix is shown on every call)
Revoke the old key

Revocation is instant

Revoking a key immediately invalidates it across all AltFiScore servers. Active requests that have already started will complete; new requests with the revoked key will fail with 401. Always confirm traffic has moved to the new key before revoking the old one.

Security best practices

Never embed keys in client-side code — keys belong on your servers only. A leaked client-side key gives anyone full access to your tenant.
Use environment variables or a secrets manager — never commit keys to git. AWS Secrets Manager, HashiCorp Vault, and similar tools are all good options.
Use separate keys per service — if your API and your background worker each have their own key, you can isolate a compromise.
Monitor API Logs — the lender portal shows the key prefix and origin IP for every call. Investigate any unexpected activity.

Next steps

Set up your sandbox tenant and explore the pre-seeded test consumers
Make your first API call
Handle errors the API may return