Authentication
Every Lorica API request authenticates with a Bearer token. There are two key types and two environments. Each tenant receives both at sandbox creation. The JWT signing secret is separate from the API key.
Key types
| Type | Prefix | Purpose |
|---|---|---|
| Sandbox | lorica-sbx- | Issued immediately. Synthetic verdicts shaped like real ones. Does not write to your audit log. |
| Production | lorica-prod- | Issued after your first sandbox verify call clears. Live traffic. Writes to audit log. Rate-limited per contract. |
Header format
Pass the bearer token in the Authorization header on every request:
Authorization: Bearer lorica-prod-aB3xC9zT8mYqRn5wHk2pV
Content-Type: application/json
X-Lorica-Idempotency-Key: req_4Z9X2fK8mPqJWT signing secret
Each tenant has a JWT signing secret distinct from the API key. The signing secret is what your backend uses to verify returned JWTs. It is shared secret material — do not log it, do not commit it to source control, do not transmit it over an unencrypted channel.
Rotation
Signing-secret rotation supports a 30-minute overlap window. Both the old
and new secrets validate during overlap; after the window closes, only the
new secret validates. Rotate via the dashboard or
POST /v1/keys/rotate-signing.
curl -X POST https://api.loricaapi.com/v1/keys/rotate-signing \
-H "Authorization: Bearer lorica-prod-..." \
-H "Content-Type: application/json"The response returns the new secret. Update your backend, deploy, and confirm the new secret validates against fresh JWTs before the overlap expires. If the overlap expires before deployment, JWTs sign with the new secret but your backend still validates against the old — verification fails for all traffic until you redeploy.
Environment endpoints
| Environment | Base URL |
|---|---|
| Sandbox | https://sandbox.api.loricaapi.com/v1 |
| Production | https://api.loricaapi.com/v1 |