API Authentication: X-API-KEY & X-CLIENT-ID

Authmatech uses API-key authentication. The OpenAPI security scheme is ApiKey, an API key passed in the X-API-KEY header, accompanied on every operation by the X-CLIENT-ID header that identifies your account.

Required headers

Header	Required	Description
`X-API-KEY`	Yes	Your secret API key. Server-side only.
`X-CLIENT-ID`	Yes	Your Client ID, identifying the account.
`Content-Type`	For bodies	`application/json`

curl -X POST https://service.authmatech.com/v1/api/verify \
  -H "X-API-KEY: YOUR_API_KEY" \
  -H "X-CLIENT-ID: YOUR_CLIENT_ID" \
  -H "Content-Type: application/json" \
  -d '{ "mobileNumber": "+962791234567", "encryptedMobileNumber": "…", "operatorId": "ZAIN_JO", "serviceType": "LOGIN" }'

Credential scopes

Credential	Header	Allowed endpoints
API key	`X-API-KEY`	All server APIs under `/v1/api/**`
SDK token	`X-SDK-TOKEN`	Only `/v1/api/sdk/session`

The SDK token cannot call Verify or any other server API — it exists so client code never holds your API key. Use it from the Web SDK and mobile SDKs only.

Unauthorized response

A missing or invalid X-API-KEY / X-CLIENT-ID returns 401 in the standard envelope:

{
  "success": false,
  "messages": [
    { "type": "FAILURE", "message": "Unauthorized", "httpStatus": "UNAUTHORIZED" }
  ],
  "data": null
}

Rotating keys

POST /v1/api/me/api-key/rotate — rotate your own key (requires the client secret). See Rotate an API key.
POST /v1/api/me/api-key/generate — generate your first key. See Generate an API key.

For security best practices, see the Authentication guide.

Authmatech REST API — Overview, Base URL & Conventions

Authmatech API Rate Limits & 429 Handling

⌘I

​Required headers

​Credential scopes

​Unauthorized response

​Rotating keys

Required headers

Credential scopes

Unauthorized response

Rotating keys