Appearance
Authentication & API keys
The CryptoComply REST API accepts three authentication schemes. For server-to-server integrations, use an API key.
| Scheme | Header | Use it for |
|---|---|---|
| API key | Authorization: Api-Key <key> | Backends, scripts, scheduled jobs. Recommended for integrations. |
| JWT | Authorization: Bearer <token> | Short-lived sessions obtained from POST /api/auth/token/ and refreshed via /api/auth/token/refresh/. |
| Session cookie | sessionid cookie | The web app. Set automatically by the browser; not for server integrations. |
API keys
A CryptoComply API key is user-scoped — it acts as the member it belongs to and carries that member's role permissions. The key string has a public prefix, a dot, and a secret:
qTizYIPb.mtGvbj55SYLKscTq1lKb3yPSmxTtxXa7Send it in the Authorization header on every request, with the literal Api-Key prefix:
bash
curl https://api.cryptocomply.xyz/api/orgs/ \
-H "Authorization: Api-Key qTizYIPb.mtGvbj55SYLKscTq1lKb3yPSmxTtxXa7"Access levels
Each key is either:
- Read-only —
GETrequests only. Any write returns403. - Full access — may also
POST,PATCH,PUT, andDELETE.
The access level is enforced on top of the member's role: a read-only key can never write, even if the member's role allows it. Use read-only keys for reporting and dashboards, full-access keys only where writes are needed.
Getting a key
CryptoComply provisions API keys today — ask your CryptoComply contact, and say which organization, which access level, and (optionally) an expiry. Self-serve key management in the web app is on the way.
Expiry, rotation, and revocation
Keys can carry an expiry date and can be revoked without losing their audit history; CryptoComply tracks each key's last use. To rotate, request a new key, move your integration to it, then have the old one revoked. Treat the secret like a password — store it in a secret manager, never in source control, and never expose it in client-side code.
Provider keys are different
Separately from the access key you authenticate with, an organization stores third-party provider credentials so CryptoComply can call those services on your behalf. These are managed at:
/api/orgs/{org_pk}/api-keys/Each provider key has a key_type:
| Code | Provider |
|---|---|
H | Chainalysis |
T | TRM |
O | Open Sanctions |
W | World Check |
C | Castellum |
A | OpenAI |
P | Perplexity |
Provider keys are returned with the secret masked (masked_key), an enabled flag for retiring a key without deleting its history, and a usage_count. Per-key daily usage is available at /api/orgs/{org_pk}/api-keys/{api_key_pk}/call-summaries/.
Don't confuse the two
Your access key authenticates you to CryptoComply. Provider keys let CryptoComply authenticate to Chainalysis, TRM, and the rest. Putting a provider key in the Authorization header will not work.
What's next
- Quickstart — your first authenticated call.
- Errors — what
401and403responses look like.