Authentication
D-ME uses API keys to authenticate requests. Your API key grants access to your tenant's data and operations. All API calls must include your key in theAuthorization header.
API Key Format
All D-ME API keys follow this pattern:
| Prefix | Environment | Example |
|---|---|---|
dme_live_ | Production | dme_live_abc123... |
dme_sandbox_ | Sandbox (testing) | dme_sandbox_abc123... |
Keys are 48 characters long after the prefix. Raw keys are displayed exactly once when created — we only store a SHA-256 hash.
Making Authenticated Requests
Include your API key in the Authorization header using theBearer scheme:
curl https://api.d-id.me/v1/kyc/verifications \
-H "Authorization: Bearer dme_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"Security: Never expose your API key client-side. Always make D-ME API calls from your backend server. Do not hardcode keys in source code — use environment variables.
API Key Scopes
Each key has a set of scopes that control which operations it can perform. Scope-restricted keys follow the principle of least privilege.
| Scope | What it allows |
|---|---|
kyc.verify | Submit and manage KYC verifications |
kyc.read | Read verification results (no submission) |
score.get | Request and read credit scores |
webhooks.write | Register and manage webhooks |
webhooks.read | Read webhook configurations |
keys.read | List active API keys |
keys.write | Create and revoke API keys |
Authentication Error Responses
| Status | Code | Meaning |
|---|---|---|
| 401 | UNAUTHORIZED | Missing or invalid API key |
| 403 | FORBIDDEN | Valid key but insufficient scope |
Key Rotation Best Practices
- Rotate live keys every 90 days
- Generate a new key before revoking the old one to avoid downtime
- Create environment-specific keys (one per deployment)
- Use sandbox keys for development and CI/CD pipelines
- Revoke any key you suspect has been compromised immediately