Authentication

Authenticate API requests using Bearer tokens. All API requests require a valid API key to access your Logproof organization's data.

Authentication Method

Logproof uses API key authentication via the Authorization header with a Bearer token scheme. Include your API key in every request:

curl https://logproof.de/v1/events \
  -H "Authorization: Bearer lp_sk_your_api_key"
$ch = curl_init('https://logproof.de/v1/events');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Authorization: Bearer lp_sk_your_api_key'
]);
$response = curl_exec($ch);
const response = await fetch('https://logproof.de/v1/events', {
  headers: {
    'Authorization': 'Bearer lp_sk_your_api_key'
  }
});
import requests

response = requests.get(
    'https://logproof.de/v1/events',
    headers={
        'Authorization': 'Bearer lp_sk_your_api_key'
    }
)
Keep Your API Keys Secure

API keys starting with lp_sk_ are secret keys that grant access to your audit logs. Never expose them in client-side code, public repositories, or logs. Store them securely using environment variables or a secrets manager.

API Key Format

All Logproof API keys follow a consistent format for easy identification:

  • Secret keys: lp_sk_ followed by a random string (e.g., lp_sk_a1b2c3d4e5f6g7h8i9j0)
  • Used for server-to-server authentication
  • Never expire unless explicitly revoked

API Key Scopes

Each API key can be configured with specific permissions to limit access. This follows the principle of least privilege - only grant the permissions necessary for each use case.

Scope Description
events:read Read and query audit events. Required for GET /events endpoints.
events:write Create new audit events. Required for POST /events endpoint.
verify Verify hash chain integrity. Required for GET /verify endpoint.
export Export audit logs in various formats. Required for POST /exports endpoint.
keys:manage Create, list, and revoke API keys. Required for managing API keys programmatically.

Scope Examples

Common scope combinations for different use cases:

  • Application logging: events:write only - Your app can create events but not read them
  • Dashboard/viewer: events:read, verify - Read-only access for viewing and verification
  • Compliance export: events:read, export - For automated compliance reports
  • Full access: All scopes - For administrative operations

Creating API Keys

Via Dashboard

The easiest way to create an API key is through the Logproof dashboard:

  1. Log in to your Logproof account at app.logproof.io
  2. Navigate to SettingsAPI Keys
  3. Click Create API Key
  4. Enter a descriptive name (e.g., "Production App Server")
  5. Select the required scopes
  6. Click Create
Copy Your Key Immediately

The complete API key is only shown once when created. Make sure to copy it to a secure location immediately. If you lose it, you'll need to create a new key.

Via API

You can also create API keys programmatically using an existing key with the keys:manage scope:

POST /keys 
curl -X POST https://logproof.de/v1/keys \
  -H "Authorization: Bearer lp_sk_your_admin_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production App Server",
    "scopes": ["events:write"]
  }'
$ch = curl_init('https://logproof.de/v1/keys');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Authorization: Bearer lp_sk_your_admin_key',
    'Content-Type: application/json'
]);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
    'name' => 'Production App Server',
    'scopes' => ['events:write']
]));

$response = curl_exec($ch);
$key = json_decode($response);
curl_close($ch);
const response = await fetch('https://logproof.de/v1/keys', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer lp_sk_your_admin_key',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    name: 'Production App Server',
    scopes: ['events:write']
  })
});

const key = await response.json();
import requests

response = requests.post(
    'https://logproof.de/v1/keys',
    headers={
        'Authorization': 'Bearer lp_sk_your_admin_key',
        'Content-Type': 'application/json'
    },
    json={
        'name': 'Production App Server',
        'scopes': ['events:write']
    }
)

key = response.json()

Response

{
  "id": "key_9XmNpQrS8tU",
  "name": "Production App Server",
  "key": "lp_sk_k9j8h7g6f5e4d3c2b1a0z9y8x7w6v5u4t3s2r1q0",
  "scopes": ["events:write"],
  "created_at": "2026-02-10T15:45:22.789Z"
}
Response Contains the Full Key

The key field in the response contains the full API key. This is the only time you'll see it, so store it securely immediately.

Key Rotation Best Practices

Regular API key rotation is an important security practice. Here's how to rotate keys safely:

Recommended Rotation Schedule

  • Production keys: Rotate every 90 days
  • Development keys: Rotate every 6 months or when team members change
  • Immediate rotation: If a key is exposed or compromised

Zero-Downtime Rotation Process

  1. Create a new key with the same scopes as the old key
  2. Deploy the new key to your application (update environment variables)
  3. Verify the new key is working in production
  4. Revoke the old key after confirming the new key is working

Revoking a Key

To revoke an API key, use the DELETE endpoint:

DELETE /keys/:key_id 
curl -X DELETE https://logproof.de/v1/keys/key_9XmNpQrS8tU \
  -H "Authorization: Bearer lp_sk_your_admin_key"
$ch = curl_init('https://logproof.de/v1/keys/key_9XmNpQrS8tU');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Authorization: Bearer lp_sk_your_admin_key'
]);
curl_exec($ch);
curl_close($ch);
await fetch('https://logproof.de/v1/keys/key_9XmNpQrS8tU', {
  method: 'DELETE',
  headers: {
    'Authorization': 'Bearer lp_sk_your_admin_key'
  }
});
import requests

requests.delete(
    'https://logproof.de/v1/keys/key_9XmNpQrS8tU',
    headers={
        'Authorization': 'Bearer lp_sk_your_admin_key'
    }
)
Revocation is Immediate

Once revoked, an API key stops working immediately. Any requests using the revoked key will receive a 401 Unauthorized response. Make sure the new key is working before revoking the old one.

Authentication Errors

Common authentication errors and how to resolve them:

401 Unauthorized

Your API key is missing, invalid, or has been revoked.

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid API key. Please check your Authorization header."
  }
}

Solutions:

  • Verify the API key is correct and includes the lp_sk_ prefix
  • Check that the Authorization header is properly formatted: Authorization: Bearer lp_sk_...
  • Confirm the key hasn't been revoked in your dashboard

403 Forbidden

Your API key is valid but doesn't have permission for this operation.

{
  "error": {
    "code": "forbidden",
    "message": "API key does not have required scope: events:write"
  }
}

Solutions:

  • Check which scopes your API key has in the dashboard
  • Create a new key with the required scopes
  • Use a different key with appropriate permissions
Next Steps

Now that you understand authentication, you're ready to start making API calls. Check out the Events API documentation to learn how to create and query audit events.

← Previous Getting Started