Skip to main content

Authentication Methods

AnyCheck supports multiple authentication methods:

JWT Token

For user-based authentication in web applications

API Key

For server-to-server authentication and integrations

JWT Token Authentication

Login

Check Available Login Methods: 
curl https://staging-api.anycheck.ai/auth/methods
Response: 
{
  "ENTRA": {
    "details": "Connection successful",
    "enabled": true,
    "healthy": true
  },
  "LDAP": {
    "details": "Connection successful",
    "enabled": true,
    "healthy": true
  },
  "PASSWORD": {
    "enabled": true
  }
}

curl -X POST https://staging-api.anycheck.ai/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your_password"
  }'
Response: 
{
  "access_token": "eyJhbGc...",
  "refresh_token": "eyJhbGc..."
}

Using the JWT Token

Include the token in the Authorization header: 
curl https://staging-api.anycheck.ai/profile \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Refreshing Tokens

When the access token expires, use the refresh token to get a new one: 
curl -X POST https://staging-api.anycheck.ai/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "refresh_token": "eyJhbGc..."
  }'
Response: 
{
  "access_token": "eyJhbGc...",
  "refresh_token": "eyJhbGc..."
}

API Key Authentication

Getting an API Key

1

Contact Sales

Email [email protected] or contact us via WhatsApp to request access.
2

Review Contract

Review and sign the service contract with pricing and terms.
3

Access Dashboard

If you already have an account, Organization Owners can view and manage API keys for each group through the dashboard.
4

Receive Credentials

Your API key and dashboard access will be provided along with the signed contract.

Using the API Key

Include the API key in the X-API-Key header: 
curl https://staging-api.anycheck.ai/verifications \
  -H "X-API-Key: YOUR_API_KEY"

Security Best Practices

  • Store tokens securely (encrypted storage, secure cookies)
  • Never expose tokens in URLs or logs
  • Use HttpOnly and Secure flags for cookies
  • Access tokens expire in 1 hour
  • Refresh tokens expire in 30 days
  • Implement automatic token refresh logic
  • Rotate API keys every 90 days
  • Use separate keys for different environments
  • Revoke compromised keys immediately
  • Track failed login attempts
  • Monitor for unusual access patterns
  • Enable multi-factor authentication (MFA)

Permission System

AnyCheck uses role-based access control (RBAC):
  • Super Admin: Full access to all organization and its groups in AnyCheck
  • Organization Owner: Full access to organization and all groups in their organization, can perform organization-level and group-level operations
  • Group User: Limited access to assigned group where they can manage folders, process verifications, and collaborate with group members
Permissions are managed through User Access Management (UAM) roles applied at the endpoint level via middleware. In addition, internal business logic still performs scope-based access validation to ensure fine-grained authorization.

Next Steps

Quick Start

Make your first verification

API Reference

Explore available endpoints