API Keys

Keys

API Keys

Create named keys, tie them to the right project, rotate them safely, and keep every protected HRS call tied to a clear purpose.

Workspace

Named keys4 server-side

Keys should be named for the exact project and workload they serve, never treated like unlabeled secrets.

Last rotation8 days ago

Rotation health belongs on the key page itself so operators can act without leaving the setup lane.

Unused keys1 stale

The key page should make cleanup as visible as issuance.

KeysMake key issuance operational

•Name the key for one workload
The first key should read like a real workload name, not a generic environment label.

•Store it server-side only
Browser bundles, native apps, and support flows should never receive the raw secret.

Run the first protected lookupVerify the response and audit trace immediately after issuance from the playground lane.Open a live key detailInspect one named key with last use, scope, and rotation health already attached.

Naming and scopeEvery key should be named for the project and the workload it powers. That makes billing, audit review, and incident response much easier under real load.

Keys stay tied to a project and server-side only. Browser bundles, native clients, and support surfaces never receive the raw secret.

Rotation and replacementKey rotation is part of normal operations, not an edge case. The platform keeps old and new key windows visible long enough for safe cutovers.

Usage views and webhook health help teams confirm that a rotation completed cleanly before they fully retire the old secret.

Create the first keyAfter the first sandbox project exists, create one clearly named key, store it server-side, run a protected lookup, and confirm the key shows usage on the dashboard.

That first successful call proves the workspace, the project, and the key are all wired correctly.

bashName and store the first sandbox key

PAYTOCOMMIT_PROJECT=sandbox-workforce-review
PAYTOCOMMIT_KEY_LABEL=hrs-sandbox-backend
PAYTOCOMMIT_API_KEY=ptc_live_replace_me

curl https://api.paytocommit.com/v1/hrs/lookup \
  -H "Authorization: Bearer $PAYTOCOMMIT_API_KEY" \
  -H "X-PayToCommit-Project: $PAYTOCOMMIT_PROJECT" \
  -H "Content-Type: application/json" \
  -d '{
    "subject": { "legal_name": "Jordan Lee", "country": "US" },
    "consent_scope": "hrs.lookup.identity",
    "declared_purpose": "workforce_vetting"
  }'

Keep keys on the server and label them for the exact project and workload they power.

Key hygieneKeys

•Serving keys: 4 active
Each key should stay named for one project and one workload.

•Rotation window: 8 days since last rotation
Rotation health belongs on the key page itself, not in a hidden admin lane.

•Next move: Run protected lookup
Immediately verify the new key from the playground after issuance.

Secret handling postureBoundaries

•Storage rule: Server-side only
The key page should make it obvious that raw secrets never belong in browser or mobile bundles.

•Naming rule: Project + workload
Every key should remain traceable to one project and one job.

•Next lane: Playground smoke test
A new key should move directly into a live verification step.

Naming and scope

Every key should be named for the project and the workload it powers. That makes billing, audit review, and incident response much easier under real load.

Keys stay tied to a project and server-side only. Browser bundles, native clients, and support surfaces never receive the raw secret.

Rotation and replacement

Key rotation is part of normal operations, not an edge case. The platform keeps old and new key windows visible long enough for safe cutovers.

Usage views and webhook health help teams confirm that a rotation completed cleanly before they fully retire the old secret.

Create the first key

After the first sandbox project exists, create one clearly named key, store it server-side, run a protected lookup, and confirm the key shows usage on the dashboard.