Certificate-Based Authentication
Encrypt your login payload with Verto certificate material and use the migrated company login route for the recommended authentication method.
Certificate-Based Authentication
Use certificate-based authentication to encrypt your login payload, request a bearer token securely, and implement the recommended authentication method for new Verto integrations.
The Gold StandardThis is the only supported method for new integrations. It utilizes an RSA-encrypted challenge-response mechanism that expires every 30 seconds.
✅ Before you start
Complete these setup steps before you build your auth module:
- Create or access your sandbox environment through Quickstart.
- Generate your
Client ID,API Key, and certificate material in Access Your Credentials. - Install an RSA-compatible crypto library in your backend environment.
- Make sure your backend can generate a current UNIX timestamp and base64-encode the encrypted payload.
1️⃣ Step 1 - Obtain Credentials
You require your Client ID and API Key from the portal to begin.
Resource: Access Your Credentials →
2️⃣ Step 2 - Generate Public Key
- Log in to your Sandbox Dashboard.
- Navigate to Verto API -> Certificates.
- Select Generate Public Key.
- Verify your identity via OTP.
- Copy the RSA Public Key and store it as a
.pemfile or environment string.
Store the certificate material securely because your backend will need it every time it generates an encrypted login payload.
3️⃣ Step 3 - Encrypt the Payload
You must encrypt a concatenated string of your API_KEY and a TIMESTAMP.
| Component | Format |
|---|---|
| Payload | YOUR_API_KEY:UNIX_TIMESTAMP_MS |
| Algorithm | RSA-OAEP with SHA-512 |
Generate the payload immediately before login so the timestamp stays within the accepted validity window.
💻 Code Implementation
```javascript Node.js
const crypto = require('crypto');
const publicKey = '...'; // Your .pem key
const timestamp = Date.now();
const payload = `${apiKey}:${timestamp}`;
const encrypted = crypto.publicEncrypt({
key: publicKey,
oaepHash: 'sha512'
}, Buffer.from(payload));
console.log(encrypted.toString('base64'));
```
<!-- slide -->
```python Python
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
# ... Load public_key ...
payload = f"{api_key}:{timestamp}"
encrypted = public_key.encrypt(
payload.encode(),
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA512()),
algorithm=hashes.SHA512(),
label=None
)
)
```4️⃣ Step 4 - Execute Authenticated Login
Send the base64-encoded apiKey payload to the migrated company login endpoint.
curl --request POST \
--url https://api-company-sandbox.vertofx.com/users/login \
--header 'Content-Type: application/json' \
--data '{
"clientId": "YOUR_CLIENT_ID",
"apiKey": "BASE64_ENCRYPTED_PAYLOAD",
"mode": "apiKey"
}'Store the returned bearer token securely and send it in the Authorization: Bearer <token> header for subsequent protected API requests.
Use the migrated company login route above for new sandbox integrations instead of legacy api-v3-sandbox.vertofx.com/users/login or older unified auth paths.
🎯 Next Steps
| Environments → Map your sandbox and production URLs correctly. | Authentication → Return to the main auth guide and compare available methods. |
Updated 23 days ago