Skip to content

Authentication

API authentication uses bearer tokens issued at account onboarding.

Obtaining a key

API keys are issued through the customer-onboarding flow described in our Customer Onboarding Policy. The flow includes:

  1. Account creation (organisation name, billing contact, technical contact)
  2. Use-of-service self-declaration (Article III screening — Charter to code)
  3. EU sanctions and dual-use Annex I screening (automated, sub-second under most circumstances)
  4. For high-risk industry flags: manual review (typically same-day, sometimes longer)
  5. Pilot or service contract signed
  6. API key issued

Once issued, the plaintext key is shown to you exactly once. We do not store the plaintext; we store an Argon2id hash. Save the key into your secrets store immediately.

Using the key

The Vetted Inference API is OpenAI-compatible. Set the bearer token in the Authorization header:

curl https://api.vettedinference.com/v1/chat/completions \
  -H "Authorization: Bearer $VETTED_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "mistral-medium-3",
    "messages": [{"role": "user", "content": "Hello"}]
  }'

Or with the OpenAI Python SDK:

from openai import OpenAI

client = OpenAI(
    base_url="https://api.vettedinference.com/v1",
    api_key=VETTED_API_KEY,
)

Key scopes

Each key carries a scope set. The default key scope set is:

  • inference:read — list models, query model metadata
  • inference:write — create completions, chat completions, embeddings
  • vetted:read — fetch receipts, list ledger entries

Audit Plus and Enterprise customers can issue scoped keys via the dashboard:

  • vetted:lineage — fetch full methodology lineage for a receipt
  • vetted:export — bulk-export receipts as a JSON-LD evidence pack
  • admin:keys — issue and revoke other keys (organisation admin only)

Rotation

We recommend rotating production keys at least annually. The rotation flow:

  1. Create a new key in the dashboard (it inherits scope set from the predecessor unless you specify otherwise)
  2. Deploy the new key to your secret store
  3. Confirm traffic on the new key
  4. Revoke the old key (this is reversible for 90 days; after 90 days the hashed credential record is deleted)

Revocation

Suspected compromise: revoke immediately from the dashboard, or email security@vettedinference.com if you do not have dashboard access. We respond to revocation requests within minutes during business hours, within 4 hours otherwise.

Revocation is logged and visible in the audit log of your account, including the revoking actor's identity.

Rate limits

Tier Requests / second Daily request budget Burst
Audit 50 100,000 200
Audit Plus 200 400,000 800
Enterprise Negotiated Negotiated Negotiated

429s carry a Retry-After header. We do not throttle silently; a 429 is a real backoff signal.