BriteVerify Public Keys is a security feature designed to let you control access to your API implementation(s) and is a first line of defense against bad actors trying to get free validations at your expense. With the introduction of public keys, BriteVerify makes point-of-collection validation easier on your engineering team and safer out of the box.
Use of public keys is strongly recommended for any client-side implementations such as point-of-collection (registration, contact, newsletter, and order forms) and any other use case that doesn't require the user to be authorized.
Requirements
BriteVerify Public Keys are available for the Real-time Single Transaction API v1 only. If you are using the legacy transactional API, you will need to update in order to use Public Keys.
- How to check: If you have to include an API key in your `GET` URL, you are using a legacy API.
Features
Rate Limiting
Public keys are automatically rate limited at two levels:
- Key: Incoming requests are limited to 500 requests per key, per minute
- IP Address: Incoming requests are limited to 25 requests per client IP address, per minute
Domain Validation
Public keys also give you the option to restrict incoming requests by domain. This means that requests will only be accepted if they are from a domain set up by you. For domain validation to work, please be sure to properly implement the http referrer.
Acceptable top-level domain formats include:
domain.comwww.domain.comhttps://www.domain.com
Acceptable sub-domain formats include:
sub.domain.com*.domain.comhttps://*.domain.com
Getting Started
- Read through the documentation for the API that you want to use.
- Review the best practices for the Real-time Single Transaction API
- Create a BriteVerify account if needed, or sign in to BriteVerify.
Generating a public key
Once you're in BriteVerify, go to API Keys on the left navigation bar, then select Generate New Key.
- If you are a Pay As You Go customer, you will need to configure auto-replenish first.
Under Key type, select Client-side. Once you do, you will see a Security Settings section appear.
Under Security Settings, check the Require domain validation box. Then, enter the domains you want to allow, separated by commas, into the text box.
Under Optimization Settings, select your implementation use case from the Site dropdown. This helps us understand and support your needs.
Select Create, then copy your new key. You're now ready to implement the API in a more secure way.
Example
It's easy to get started with a basic implementation like this example. Using public keys, you don't have to go through the effort of hiding your key.
<html>
<head>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5./jquery.min.js"></script>
</head>
<body>
<script>
$.ajaxSetup({
beforeSend: function(xhr) {
xhr.setRequestHeader('Authorization', 'ApiKey: XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX');
xhr.setRequestHeader('Content-Type', 'application/json');
}
});
$.ajax({
url: 'https://bpi.briteverify.com/api/public/v1/fullverify',
type: "POST",
// dataType: 'json',
data: '{ "email": "jane.doe@domain.com" }',
success: function (data, status, xhr)
{
console.log("hi")
console.log(data)
}
});
</script>
</body>
</html>
Caution: Not using public keys increases the likelihood that your implementation can be hijacked by bad actors, resulting in loss of verification credits that are not refundable. Validity does not take responsibility for loss that could have been prevented by using security features like Public Keys.
