Your account API Keys
Veryfi assigns one set of API Keys to each company account to access all supported APIs. These keys authenticate your requests to the Veryfi API, so they should be treated as sensitive credentials and never shared publicly or committed to source control.
You can manage your API Keys in two ways:
Web Portal: Navigate to Settings > Keys in your Veryfi Portal.
Programmatically via the API: You can now create, list, delete, and reset keys directly through our API, which makes it possible to automate key rotation as part of your own security workflows.
What is API Key rotation?
API key rotation is the practice of periodically changing or updating the API keys used for authentication and authorization. It is a security measure that reduces the risk associated with long-lived or potentially compromised keys, and it helps maintain the overall integrity of your systems and the confidentiality of your data.
Why is API Key rotation important?
Regular rotation is one of the simplest and most effective ways to reduce the risk of unauthorized access and data breaches. If an API key is exposed, whether through a leaked config file, a former employee, or a third-party compromise, an attacker could use it to access sensitive data or perform actions on your behalf. Rotating keys on a schedule limits how long any single compromised key remains useful.
Rotation is also a common requirement in compliance and regulatory frameworks (such as SOC 2, HIPAA, and PCI DSS). Implementing a rotation policy demonstrates your organization's commitment to security and helps you meet industry standards.
The right rotation frequency depends on your risk tolerance, industry, and internal policies. Most teams rotate keys quarterly or annually, but higher-security environments may rotate more often. With the new programmatic API, you can schedule rotations automatically rather than relying on manual calendar reminders.
Who can manage API Keys? (Permissions)
API Keys are company-sensitive information, so access to them is tightly controlled:
Only Admin users can be granted access to API Keys. Non-Admin team members cannot view or manage keys.
Only Admin users who already have API Keys access can grant, enable, or disable API Keys access for another Admin.
By default, when you add an external team member, API Keys access is restricted until explicitly granted.
Only the account owner always has permission to create and remove API Keys in Web Portal.
To review or update permissions for your team, go to Settings > My Team in your Veryfi Portal. For a full walkthrough, see the API Keys Access Permissions article and How to Manage Admin Permissions for your Team Members.
โ ๏ธ Important: If your company uses a single profile for multiple use cases, resetting your keys will affect all APIs running in that environment. For example, if you use the Receipts & Invoices API for expense management and the W-9 API for vendor onboarding, and both share the same set of keys, a reset will impact both. API keys belonging to separate Dev or Staging profiles are not affected.
How to rotate your Veryfi API keys
Whether you use the Portal or the API, the rotation process follows the same four steps.
1. Generate a new API Key
Create a new key to replace the existing one using Veryfi's secure key generation.
Using the Veryfi Portal
Navigate to Settings > Keys in your Veryfi Portal.
Press ADD NEW API KEY.
Copy the newly generated API Key and store it securely.
Using the API
Call the Add a Key endpoint. You can also list existing keys first to audit what's currently in use via the Retrieve Keys endpoint.
2. Update your applications and systems
Replace the old API key with the new one in every application, service, or configuration file that authenticates against the Veryfi API. Don't forget environment variables, secret managers, CI/CD pipelines, and any automation scripts.
3. Test and validate
Confirm that your applications can successfully authenticate and make requests using the new key before you remove the old one. Running both keys in parallel briefly allows you to roll back quickly if something was missed.
4. Retire or revoke the old API Key
Once you've confirmed everything is working with the new key, retire the old one to prevent any further use.
Using the Veryfi Portal
Return to the Keys section in your Veryfi Portal and press Delete next to the old key.
Using the API
Remove a specific key: Delete a Key
Reset all keys at once: Reset all Keys
Once the old key is retired, your new API Key automatically becomes your Primary API Key.