Skip to main content
Authentication applies to every endpoint in the ProfiledRisk API.

Base URL

https://ingest.profiledrisk.com/api/
This is the base domain used for all API interactions. You must append the correct endpoint path for each API call.
Specific endpoints will be referenced in subsequent sections of this documentation.

API Keys

ProfiledRisk uses a single Secret Key for live transactions
Developers → API Keys
Treat your Secret Key like a password.
Do not expose it in client-side, browser, or mobile applications.

Header Authentication

Every API request must include your Secret Key in the Authorization header.

Header Format

Authorization: {PRIVATE_KEY}
Content-Type: application/json
Example:
[POST]
{{baseURL}}/ingest
Body
{
  "key" : "6WgE3W1",
  "type": "payments",
  "event": { ... }
}

Security Best Practices

To maintain compliance and protect your risk infrastructure:
  • Never store credentials directly in code repositories
  • Use a secure secrets manager for environment variables
  • Restrict access to keys based on least privilege
  • Rotate credentials if leakage is suspected
  • Disable and regenerate unused keys regularly
ProfiledRisk logs all API usage against your keys for audit purposes.

Error Handling

If authentication fails, ProfiledRisk returns standard HTTP error responses:
CodeErrorReason
401 UnauthorizedAuthentication failedMissing or invalid Secret Key
403 ForbiddenAccess deniedKey restricted or disabled