Authentication

The KYC Genie API uses API keys to authenticate requests. You can create and manage your API keys from your account settings in the dashboard.

Secure Your Keys

API keys grant access to your account and data. Keep them private and never expose them in public repositories, client-side code, or other untrusted environments. If a key is compromised, revoke it immediately in your account settings.

API Keys

API keys are issued per tenant and can have different access levels. Each key is a Bearer token that you include in the Authorization header of your requests.

Key Format

API keys follow this format:

kycg_1234567890abcdef1234567890abcdef

Creating API Keys

  1. Log in to your KYC Genie dashboard
  2. Navigate to SettingsAPI Keys
  3. Click Create API Key
  4. Choose the owner (user who owns this key)
  5. Give your key a descriptive name (e.g., "Production Server", "Development")
  6. Optionally configure security features (IP whitelist, HMAC enforcement, API Scope and Expiration)
  7. Copy and securely store your key (you won't be able to see it again)
Key Limit

Each user can have a maximum of 3 active API keys per environment. Revoke unused keys to create new ones.

Test vs Live Mode

KYC Genie supports two environments: Test and Live. Data created in one mode is completely isolated from the other.

Feature Test Mode Live Mode
Data Isolation Isolated test environment Production environment
Billing No charges applied Standard usage charges apply
API Functionality Most features available Full functionality
Third-party Integrations Sandbox/mock responses Live third-party API calls
Webhook Delivery Enabled Enabled
Always Test First

Use test mode during development to avoid consuming production credits. Test data is isolated and can be safely deleted at any time.

Making Requests

All API requests must include your API key in the Authorization header using the Bearer scheme.

Example Request

curl https://kycgenie.com/api/v1/responses/ \
  -H "Authorization: Bearer kycg_1234567890abcdef" \
  -H "Content-Type: application/json"
import requests

headers = {
    'Authorization': 'Bearer kycg_1234567890abcdef',
    'Content-Type': 'application/json'
}

response = requests.get(
    'https://kycgenie.com/api/v1/responses/',
    headers=headers
)

print(response.json())
const response = await fetch('https://kycgenie.com/api/v1/responses/', {
  method: 'GET',
  headers: {
    'Authorization': 'Bearer kycg_1234567890abcdef',
    'Content-Type': 'application/json'
  }
});

const data = await response.json();
console.log(data);

Required Headers

Header Value Required Description
Authorization Bearer YOUR_API_KEY Always Your API key with Bearer prefix
Content-Type application/json POST/PATCH/PUT For requests with JSON body
Idempotency-Key unique-key-123 POST/PUT/PATCH/DELETE Unique key for request deduplication (24hr expiration)

Idempotency

All mutating operations (POST, PUT, PATCH, DELETE) require an Idempotency-Key header to prevent duplicate requests from causing unintended side effects.

Why Use Idempotency Keys?

Retries due to network failures or timeouts can result in the same request being sent multiple times. Idempotency keys ensure that repeated requests with the same key are applied only once, preventing duplicate records or side effects.

How It Works

  1. Generate a unique key (UUID recommended) for each logical operation
  2. Include it in the Idempotency-Key header
  3. If you retry the request with the same key within 24 hours, you'll get the cached response
  4. If you send the same key with different request data, you'll get a 409 Conflict error

Example with Idempotency

curl -X POST https://kycgenie.com/api/v1/responses/ \
  -H "Authorization: Bearer kycg_1234567890abcdef" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: 550e8400-e29b-41d4-a716-446655440000" \
  -d '{
    "entity_name": "ACME Corp",
    "questionnaire_id": 123
  }'
import requests
import uuid

# Generate unique key for this operation
idempotency_key = str(uuid.uuid4())

response = requests.post(
    'https://kycgenie.com/api/v1/responses/',
    headers={
        'Authorization': 'Bearer kycg_1234567890abcdef',
        'Content-Type': 'application/json',
        'Idempotency-Key': idempotency_key
    },
    json={
        'entity_name': 'ACME Corp',
        'questionnaire_id': 123
    }
)

# If network fails, retry with same key
if response.status_code == 500:
    # Same idempotency_key ensures no duplicate creation
    response = requests.post(..., headers={'Idempotency-Key': idempotency_key, ...})
import { v4 as uuidv4 } from 'uuid';

const idempotencyKey = uuidv4();

try {
  const response = await fetch('https://kycgenie.com/api/v1/responses/', {
    method: 'POST',
    headers: {
      'Authorization': 'Bearer kycg_1234567890abcdef',
      'Content-Type': 'application/json',
      'Idempotency-Key': idempotencyKey
    },
    body: JSON.stringify({
      entity_name: 'ACME Corp',
      questionnaire_id: 123
    })
  });
  
  if (!response.ok) throw new Error('Request failed');
  
} catch (error) {
  // Safe to retry with same key - no duplicates will be created
  await fetch(url, { headers: { 'Idempotency-Key': idempotencyKey, ... } });
}

Idempotency Errors

Status Code Scenario Resolution
400 Missing Idempotency-Key header on POST/PUT/PATCH/DELETE Add the header with a unique UUID value
409 Same key used with different request data Generate a new idempotency key for the new operation
Key Expiration

Idempotency keys expire after 24 hours. After expiration, the same key can be reused as a new operation.

API Key Security Features

When creating API keys, you can enable optional security features for enhanced protection.

IP Whitelisting

Restrict API key usage to specific IP addresses. Requests from non-whitelisted IPs will be rejected with 403 Forbidden. 

{
  "name": "Production Server Key",
  "environment": "live",
  "ip_whitelist": ["203.0.113.0", "198.51.100.0/24"]
}

Scopes (Coming Soon)

Limit API key permissions to specific resources and operations.

HMAC Request Signing (Optional)

Require HMAC-SHA256 signatures on all requests for additional verification. When enabled, each request must include an X-Request-Signature header. 

import hmac
import hashlib
import json

def sign_request(api_secret, method, path, body=None):
    """Generate HMAC signature for request"""
    # Combine method + path + body
    message = f"{method}{path}"
    if body:
        message += json.dumps(body, separators=(',', ':'), sort_keys=True)
    
    signature = hmac.new(
        api_secret.encode(),
        message.encode(),
        hashlib.sha256
    ).hexdigest()
    
    return signature

# Usage
signature = sign_request(
    api_secret='your_api_secret_from_settings',
    method='POST',
    path='/api/v1/responses/',
    body={'entity_name': 'ACME Corp', 'questionnaire_id': 123}
)

headers = {
    'Authorization': 'Bearer kycg_...',
    'X-Request-Signature': signature
}

Error Handling

The API returns standard HTTP status codes to indicate the success or failure of requests.

Authentication Errors

Status Code Error Description
400 Bad Request Missing required header (e.g., Idempotency-Key)
401 Unauthorized Missing or invalid API key
403 Forbidden API key doesn't have required permissions or IP not whitelisted
409 Conflict Idempotency key conflict - same key used with different data
429 Too Many Requests Rate limit exceeded

Example Error Responses

Missing Idempotency Key

{
  "error": "missing_idempotency_key",
  "message": "Idempotency-Key header is required for POST/PUT/PATCH/DELETE requests",
  "status": 400
}

Idempotency Key Conflict

{
  "error": "idempotency_key_conflict",
  "message": "This idempotency key was already used with different request data",
  "status": 409
}

Invalid API Key

{
  "error": "invalid_api_key",
  "message": "The API key provided is invalid or has been revoked",
  "status": 401
}

Rate Limits

To ensure fair usage and system stability, the API enforces rate limits based on your subscription plan:

Plan Hourly Limit Burst Limit
Free 1,000 requests/hour 20 requests/minute
Basic 1,000 requests/hour 20 requests/minute
Standard 1,000 requests/hour 20 requests/minute
Pro 1,000 requests/hour 20 requests/minute
Test API Keys

Test API keys allow you to safely explore and experiment with the KYC Genie API without affecting real data. They operate in a fully isolated sandbox environment and simulate realistic responses for all endpoints.

Test keys have generous limits to support development and testing:

  • 1,000 requests per hour
  • 100 requests per minute (burst)

All test requests include standard rate-limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) so you can practice handling throttling in your integration.

Note: Test keys are sandbox-only and do not consume credits or affect live data. Production API keys must be used for real KYC checks.

Rate Limit Headers

Every API response includes headers to help you track your usage:

Hourly Rate Limit

  • X-RateLimit-Limit - Total requests allowed per hour
  • X-RateLimit-Remaining - Requests remaining in current hour
  • X-RateLimit-Reset - Seconds until the hourly limit resets

Burst Rate Limit (Per-Minute)

  • X-RateLimit-Burst-Limit - Maximum requests per minute
  • X-RateLimit-Burst-Remaining - Requests remaining this minute
  • X-RateLimit-Burst-Reset - Seconds until the burst limit resets
Handling Rate Limits

If you exceed your rate limit, you'll receive a 429 Too Many Requests response. Check the X-RateLimit-Reset header to know when you can retry.

We recommend implementing exponential backoff in your integration to gracefully handle rate limiting.

to navigate Enter to select Esc to close