Authentication

Requests made to the API are protected with HTTP Basic authentication. In order to properly authenticate with the API you must use your API key as the username while leaving the password blank. Requests not properly authenticated will return a 401 error code. You can find your account's API keys in your Dashboard Settings.

For Basic authentication, the authorization request header contains the Base64-encoded username and password, separated by a colon. When handling the request, the server decodes the login details and checks if the user can access the requested content. Since the authorization you pass to Lob does not have a password you will need to Base64-encode “[API_KEY]:”. 

API keys

Lob authenticates your API requests using your account's API keys. If you do not include your key when making an API request, or use one that is incorrect or outdated, Lob returns an error with a 401 HTTP response code. You can find all API keys in your dashboard under Settings.

There are two types of API keys: secret and publishable.

• Secret API keys should be kept confidential and only stored on your own servers. Your account's secret API key can perform any API request to Lob without restriction.

• Publishable API keys are limited to US verifications, international verifications, and US autocomplete requests. While we encourage you to use a secret key for maximum security, you can publish these keys to JavaScript code or in an Android or iPhone app without exposing print and mail services or your secret key. Publishable keys are always prefixed with [environment]_pub.

Every type comes with a pair of keys: one for the testing environment and one for the live environment. We recommend reading Test and Live Environments for more information.