Authentication
The TrustView API uses API keys for authentication. Every request must include a valid key in the X-API-Key header.
Getting a key
API keys are created by a company admin through the TrustView dashboard or the management API. When a key is created, you get a raw key that looks like this:
Save your key
The raw key is only shown once at creation time. TrustView stores a SHA-256 hash, so the original key cannot be retrieved later. If you lose it, revoke it and create a new one.
Using your key
Include the key in the X-API-Key header on every request:
curl -X GET https://nightly.api.trustview.eu/external/smart-inventory/vendor/list \
-H "X-API-Key: tvw_sk_live_a1b2c3d4e5f6..."
How it works
- Each API key belongs to a specific company. The company is resolved automatically from the key -- you don't need to pass a company ID in the URL or body.
- Each key has its own integration user in TrustView. All actions performed through the API are attributed to this user in audit logs and history.
- Keys can be enabled, disabled, or given an expiration date.
Key format
All keys use the tvw_sk_live_ prefix. This prefix is registered with GitHub secret scanning -- if a key is accidentally committed to a repository, GitHub will detect and flag it.
Error responses
| Status | Meaning |
|---|---|
401 Unauthorized |
Missing or invalid X-API-Key header |
401 Unauthorized |
API key is disabled or expired |
403 Forbidden |
Key is valid but not authorized for this resource |
Example error response:
Security best practices
- Store keys in environment variables or a secrets manager, never in source code
- Use a separate key per integration so you can revoke them independently
- Set expiration dates on keys when possible
- Rotate keys periodically