What is the primary authentication method for Persona?

Persona's primary authentication method uses API keys, which consist of an API Key ID and an API Key Secret. These credentials authorize requests to the Persona API.

How do I get my Persona API credentials?

You can obtain your API Key ID and Secret from the Developer or API Keys section within your Persona Dashboard after logging into your account.

Is it safe to embed Persona API keys in client-side code?

No, you should never embed your API Key Secret directly in client-side code. It must be securely stored on your backend servers and used to sign requests from there.

How often should I rotate my Persona API keys?

It is a security best practice to rotate your API keys regularly, typically every few months, or immediately if you suspect a key may have been compromised.

Does Persona support OAuth or other authentication protocols?

While Persona's direct API interaction primarily uses API keys, its SDKs and integrations may abstract or leverage other standard web security practices. The core API uses API key authentication.

What are the security standards for Persona API communication?

All communication with the Persona API is encrypted using HTTPS/TLS to ensure data privacy and integrity during transmission.

Can I have different API keys for different environments?

Yes, Persona recommends generating separate API keys for your development, staging, and production environments to enhance security and simplify key management.

Persona Authentication: API Keys, Security, & Setup (2026)

Persona authentication: Persona uses API keys for authenticating requests to its API, enabling applications to securely access identity verification services. These keys are crucial for managing sensitive user data and integrating Persona's features into custom workflows, ensuring that only authorized requests are processed while maintaining data integrity.

Authentication overview

Persona provides identity verification services through an API that requires authentication for all requests. The primary method for authenticating with Persona's API is through the use of API keys. These keys allow developers to programmatically interact with Persona's platform, including initiating verifications, retrieving verification statuses, and managing templates. By requiring authentication, Persona ensures that only authorized applications and users can access and manipulate sensitive identity data, adhering to security and privacy standards such as GDPR and CCPA Persona compliance standards.

Authentication is essential for maintaining the integrity and confidentiality of user information processed by Persona. Each request sent to the API must include valid credentials, typically passed as headers, to confirm the sender's identity and permissions. This approach helps prevent unauthorized access and potential data breaches, which is critical given the nature of identity verification data. The implementation of API keys is standard practice for securing web APIs, as detailed in various security guidelines for API development Google API Handbook security policies.

Developers integrate Persona's authentication mechanisms into their applications using Persona's SDKs (for iOS, Android, React Native, and Web) or by directly making authenticated HTTP requests to the REST API. The choice of integration method depends on the application's architecture and specific requirements, but the underlying authentication principles remain consistent across all pathways.

Supported authentication methods

Persona primarily relies on API keys for authentication. This method involves generating unique key pairs—an API Key ID and an API Key Secret—within the Persona Dashboard. These credentials are then used to sign requests made to the Persona API. The API Key Secret functions similarly to a password and must be kept confidential and secure.

When making requests, the API Key ID is typically sent as part of the request header or body, while the API Key Secret is used to generate a signature for the request. This signature verifies the authenticity of the request and confirms that it originates from an authorized source. All communications with the Persona API are encrypted using HTTPS/TLS, providing a secure channel for transmitting sensitive data and authentication credentials Persona API overview.

The table below outlines the primary authentication method supported by Persona:

Method	When to Use	Security Level
API Keys (ID & Secret)	Programmatic access to Persona's REST API from backend services or secure client-side applications.	High. Requires secure storage of secrets and transmission over HTTPS.

Getting your credentials

To obtain your Persona API credentials, you must have an active Persona account. The process generally involves navigating to the Developer settings or API Keys section within the Persona Dashboard. Here's a general outline of the steps:

Log in to the Persona Dashboard: Access your account at Persona login page.
Navigate to API Keys: Look for a section like "Developer," "API Keys," or "Integrations" in the dashboard's navigation menu. The exact path may vary slightly based on dashboard updates.
Generate New API Key: Once in the API Keys section, you will typically find an option to generate a new API key. Persona often allows you to create different types of keys (e.g., read-only, full access) or keys associated with specific environments (e.g., development, production).
Record Credentials: Upon generation, Persona will display your API Key ID and API Key Secret. It is critical to copy and securely store the API Key Secret immediately, as it is often only shown once for security reasons and cannot be retrieved later Persona API keys documentation. If lost, you would typically need to revoke the old key and generate a new one.

Persona recommends generating separate API keys for different environments (e.g., development, staging, production) and for different services or applications to enhance security and simplify key management. This segmentation allows for more granular control over access and makes it easier to revoke a compromised key without affecting other parts of your system.

Authenticated request example

When making an authenticated request to the Persona API, you will typically include your API Key ID and a generated signature in the request headers. The exact method for constructing the signature can vary, but generally involves using your API Key Secret to sign a specific payload. Here’s a conceptual example using a common pattern, though you should refer to the official Persona API reference for the most accurate and up-to-date implementation details.

Let's consider an example of creating an Inquiry using the Persona API. This often involves a POST request to an endpoint like /inquiries. The authentication headers might look something like this:

POST https://api.withpersona.com/v1/inquiries
Authorization: Bearer YOUR_API_KEY_ID
Persona-Signature: v1,SIGNATURE_STRING
Content-Type: application/json

{
  "data": {
    "type": "inquiry",
    "attributes": {
      "templateId": "itmpl_YOUR_TEMPLATE_ID",
      "fields": {
        "nameFirst": "John",
        "nameLast": "Doe",
        "emailAddress": "[email protected]"
      }
    }
  }
}

In this example:

YOUR_API_KEY_ID would be replaced with the API Key ID obtained from your Persona Dashboard.
SIGNATURE_STRING is a cryptographic signature generated using your API Key Secret, typically involving hashing the request body, timestamp, and other parameters. Persona's client libraries and SDKs often abstract away the complexity of signature generation, making it easier to implement securely.
The request body contains the necessary data for creating an Inquiry, such as a template ID and user-specific fields.

For specific code examples in languages like Python, Ruby, or Node.js, consult the Persona developer documentation, which provides detailed instructions and sample code snippets for various API operations and authentication flows.

Security best practices

Securing your Persona API credentials and interactions is paramount due to the sensitive nature of identity verification data. Adhering to the following best practices can help mitigate risks:

Keep API Secrets Confidential: Treat your API Key Secret like a password. Never embed it directly in client-side code (e.g., JavaScript in a web browser, mobile app code) or commit it to version control systems like Git. Store it in environment variables, secret management services, or secure configuration files on your server.
Use Environment-Specific Keys: Generate separate API keys for different deployment environments (development, staging, production). This limits the blast radius if a key in a non-production environment is compromised.
Rotate API Keys Regularly: Periodically rotate your API keys. This practice reduces the window of opportunity for a compromised key to be exploited. Persona's dashboard typically offers functionality to revoke old keys and generate new ones.
Implement Least Privilege: If Persona offers granular permissions for API keys, configure them with the minimum necessary permissions required for the specific tasks they perform. For instance, a key used only to retrieve verification statuses should not have permissions to modify account settings.
Secure Client-Side Integrations: If you are integrating Persona's SDKs directly into client-side applications (web or mobile), ensure that sensitive operations requiring your API Key Secret are proxied through your secure backend. The client should only interact with your backend, which then securely authenticates with Persona.
Monitor API Usage: Regularly review API logs and usage patterns for any unusual activity. Anomalies could indicate unauthorized access or potential abuse of your API keys.
Enforce HTTPS/TLS: Always ensure all communication with Persona's API uses HTTPS/TLS. This encrypts data in transit, protecting your API keys and sensitive user data from eavesdropping. Persona enforces this by default, but it's crucial for your application's network requests as well.
Error Handling: Implement robust error handling for authentication failures. Avoid providing overly descriptive error messages that could inadvertently reveal sensitive information to potential attackers.

By following these best practices, developers can significantly enhance the security posture of their applications integrating with Persona, safeguarding both their systems and their users' sensitive identity information. For further general guidance on secure API key handling, refer to resources like the OAuth 2.0 Bearer Token Usage specification, which discusses related security considerations.

Persona Authentication: API Keys, Security, & Setup (2026)

Authentication overview

Supported authentication methods

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by