Authentication Overview

The Locktera CORE API uses API keys to authenticate requests.

Every request must include a valid API key in the Authorization header. The API key identifies the calling user and determines what actions are permitted.

Authentication is required for all endpoints. Requests without valid authentication are rejected before any container or policy evaluation occurs.

API keys authenticate the calling user but do not bypass container access policies. All access requests are still evaluated against container DRM rules.

How Authentication Works

Locktera authenticates requests using Bearer token authentication.

Your API key is included in the request header:

Authorization: Bearer YOUR_API_KEY

Example request:

curl -X GET $BASE_URL/me \
  -H "Authorization: Bearer YOUR_API_KEY"

If the API key is valid, the request is processed.

If the API key is missing or invalid, the request is rejected.

HTTP 401 Unauthorized

{
  "error": "unauthorized",
  "message": "Invalid or missing API key"
}

HTTP 403 Forbidden

{
  "error": "access_denied",
  "message": "Access is not permitted under current container policies"
}

What Authentication Controls

Authentication determines:

• The identity of the calling user
• What operations are permitted
• Which containers can be accessed
• Which DRM policies can be modified
• What audit logs can be viewed

All API operations require authentication.

Authentication and Access Control

Authentication identifies the caller. Access control determines whether the caller is authorized to access a specific container.

When a protected container is accessed, Locktera evaluates:

• The identity associated with the API key
• The container’s recipient list
• Any DRM restrictions (time, IP, geographic, or download rules)

If access is permitted, the request succeeds.

If access is not permitted, the API returns:

{
  "error": "access_denied",
  "message": "Access is not permitted under current container policies"
}

Verifying Authentication

You can verify your API key by calling the /me endpoint:

curl -X GET $BASE_URL/me \
  -H "Authorization: Bearer YOUR_API_KEY"

Example response:

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "email": "user@company.com"
}

This confirms the API key is valid and identifies the authenticated user.

Authentication Flow

  1. Client sends request with API key

  2. Locktera verifies API key identity. Authentication is verified before any container metadata, audit logs, or encrypted contents are accessed.

  3. Locktera evaluates container access policies

  4. Request is allowed or denied

Security Best Practices

• Treat API keys as secret credentials
• Never expose API keys in client-side applications
• Store API keys securely using environment variables or secret managers
• Rotate API keys periodically

API Keys
Base URL
Identity & Recipients

These sections explain how to create API keys, configure requests, and map identities to access control.