Authentication

Every request to the Vouchley API must carry a Bearer token. Keys are scoped to your account and live in two environments — test and live — so you can develop safely without touching real credit balances.

Generating API keys

Open the API Keys page in your dashboard and click Create new key. Pick a label (visible only to you) and an environment. The plaintext key is shown exactly once — copy it into your server-side secrets manager before closing the modal.

Example request

curl -X POST https://api.vouchley.getrevlio.com/v1/verify \
  -H "Authorization: Bearer vch_live_abc123def456..." \
  -H "Content-Type: application/json" \
  -d '{"email": "john@acme.com"}'

Key types

Vouchley provides two environments to support your development lifecycle. Always use test keys during development. Test requests do not deduct from your credit balance and do not surface in production analytics.

Test keys

Used for development and staging. Isolated from live data. Prefix: vch_test_

Safe

Live keys

Used for production. Every call deducts 1 credit from your balance. Prefix: vch_live_

Sensitive

Rotating keys

Revoke a key from the dashboard to take it offline immediately. Past requests stay logged but any new call with that key returns 401 Unauthorized. Best practice: generate the new key first, deploy it everywhere, verify traffic is flowing, then revoke the old one.

Security best practices

Keep one key per deployment environment (staging, production).
Rotate keys at least quarterly, and immediately on any suspected leak.
Use environment-specific labels so the dashboard stays scannable.