Skip to main content

Authentication Methods

AnyCheck supports two authentication methods:

JWT Token

For user-based authentication in web and mobile applications

API Key

For server-to-server authentication and integrations

JWT Token Authentication

Login

Get a JWT token by logging in with email and password: 
curl -X POST https://api.anycheck.id/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your_password"
  }'
Response: 
{
  "success": true,
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "expires_in": 3600,
    "user": {
      "id": "user-uuid",
      "email": "[email protected]",
      "name": "John Doe"
    }
  }
}

Using the JWT Token

Include the token in the Authorization header: 
curl https://api.anycheck.id/verifications \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Refreshing Tokens

When the access token expires, use the refresh token to get a new one: 
curl -X POST https://api.anycheck.id/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }'

API Key Authentication

Getting an API Key

1

Contact Sales

Email [email protected] or contact us via WhatsApp to request access.
2

Review Contract

Review and sign the service contract with pricing and terms.
3

Receive Credentials

Your API key and dashboard access will be provided along with the signed contract.
API keys are not self-service. All customers must go through a contract process before receiving API access credentials.

Using the API Key

Include the API key in the X-API-Key header: 
curl https://api.anycheck.id/verifications \
  -H "X-API-Key: YOUR_API_KEY"

External Authentication (SSO)

AnyCheck supports Single Sign-On via Microsoft Entra ID (formerly Azure AD):

Get Auth URL

curl https://api.anycheck.id/auth/external/entra/auth-url
Response: 
{
  "auth_url": "https://login.microsoftonline.com/..."
}

Redirect and Callback

  1. Redirect user to the auth_url
  2. User authenticates with Microsoft
  3. Microsoft redirects to your callback URL
  4. Exchange code for access token via /auth/external/entra/callback

Security Best Practices

  • Store tokens securely (encrypted storage, secure cookies)
  • Never expose tokens in URLs or logs
  • Use HttpOnly and Secure flags for cookies
  • Access tokens expire in 1 hour
  • Refresh tokens expire in 30 days
  • Implement automatic token refresh logic
  • Rotate API keys every 90 days
  • Use separate keys for different environments
  • Revoke compromised keys immediately
  • Track failed login attempts
  • Monitor for unusual access patterns
  • Enable multi-factor authentication (MFA)

Error Responses

Invalid Credentials

{
  "success": false,
  "error": {
    "code": "INVALID_CREDENTIALS",
    "message": "Email or password is incorrect"
  }
}
Status Code: 401 Unauthorized

Expired Token

{
  "success": false,
  "error": {
    "code": "TOKEN_EXPIRED",
    "message": "Your session has expired. Please login again."
  }
}
Status Code: 401 Unauthorized

Invalid API Key

{
  "success": false,
  "error": {
    "code": "INVALID_API_KEY",
    "message": "API key is invalid or inactive"
  }
}
Status Code: 401 Unauthorized

Permission System

AnyCheck uses role-based access control (RBAC):
  • Admin: Full access to organization and groups
  • Manager: Manage users and services within groups
  • User: Create and view verifications
Permissions are assigned via User Access Management (UAM) roles.

Rate Limiting

API requests are rate limited based on your organization’s plan:
  • Limits apply per organization and group
  • Rate limit headers included in responses:
    • X-RateLimit-Limit
    • X-RateLimit-Remaining
    • X-RateLimit-Reset

Next Steps

Quick Start

Make your first verification request

API Reference

Explore available endpoints