Authentication
The CreatorLayer API uses API key authentication via Bearer tokens.
How it works
- During pilot onboarding, you receive a raw API key (a 64-character hex string)
- Include it in every request as a Bearer token:
Authorization: Bearer cl_live_a1b2c3...your_key_here
- The server hashes the key with SHA-256 and looks up the hash in its key store
- If the hash matches, the request is authenticated with the associated role
Roles
| Role | Access |
|---|---|
lender | Verification, benchmarks, consent endpoints |
gdpr_admin | All lender endpoints + GDPR access/erase/export |
Error responses
| Status | Meaning |
|---|---|
401 Unauthorized | Missing or invalid Authorization header |
403 Forbidden | Valid key but insufficient role for this endpoint |
Key management
- Keys are stored as SHA-256 hashes (the raw key is never stored)
- Keys can be rotated by issuing a new key and revoking the old hash
- All key operations are logged for audit
Example request
curl -X POST https://api.creatorlayer.eu/api/v1/verifications \
-H "Authorization: Bearer cl_live_a1b2c3d4e5f6..." \
-H "Content-Type: application/json" \
-H "Idempotency-Key: 550e8400-e29b-41d4-a716-446655440000" \
-d '{
"obligor_reference": "creator_001",
"creator_platforms": ["youtube", "stripe"],
"lender_name": "Pilot Bank",
"product_type": "rbf"
}'