Skip to main content
Every request carries a partner API key as a bearer token:
curl https://www.getprescience.com/api/partner/v1/ping \
  -H "Authorization: Bearer psk_test_..."
There is no OAuth flow, request signing, or session token; authentication is this one header.

Key formats

PrefixModeBehavior
psk_test_<32 hex>TestFull API, deterministic quotes, sandbox enrollments. No money movement, ever.
psk_live_<32 hex>LiveReal employers, real onboarding. Requires live mode enabled for your account.
The environment comes from the key: same base URL, same endpoints, same payload shapes. Resources are visible only to keys of the same mode: a test key never sees live groups, and vice versa. See Environments. Live keys work only after Prescience enables live mode for your account (see Compliance). Until then, live-key requests return 403 live_mode_disabled.

How keys are issued

Keys are provisioned by Prescience support. Test keys are available for development; live keys are issued after live mode is enabled. The raw key is shown exactly once at issue. We store only a SHA-256 hash, so a lost key cannot be recovered, only replaced. To rotate or revoke a key, contact your Prescience partner engineer. Revocation is immediate, and rotation issues the new key before the old one is revoked, so you can cut over with zero downtime.

Key safety

API keys grant access to employer census data: names, dates of birth, ZIP codes. Treat them like production database credentials.
  • Server-side only. Never ship a key in browser bundles, mobile apps, or client-side code. All Partner API calls should originate from your backend.
  • Secrets manager, not source control. Inject keys via your secrets manager or environment configuration. Add psk_test_ and psk_live_ to your secret-scanning rules.
  • One key per environment. Use separate test keys for development, CI, and staging so any one can be revoked without collateral damage.
  • We never log raw keys and store them only as hashes; lookups compare hashes in constant time. Do the same: redact Authorization headers from your request logs.

Auth errors

StatusCodeMeaning
401unauthorizedMissing, malformed, or revoked key.
403live_mode_disabledValid psk_live_ key, but live mode isn’t enabled for your account yet.
403forbiddenThe key may not access this resource.
429rate_limitedToo many failed auth attempts from this source IP. Successful requests don’t count toward this limiter; see Rate limits.
Full error envelope and code list in Errors.