> ## Documentation Index > Fetch the complete documentation index at: https://docs.truv.com/llms.txt > Use this file to discover all available pages before exploring further. # Authentication > How to authenticate with the Truv API ## Base URL All API requests use the same base URL regardless of environment: ``` https://prod.truv.com/v1/ ``` Your **Access Secret** determines which environment the request is routed to, not the URL. Sandbox and Production both use the same endpoint. *** ## API Authentication All Truv API requests require authentication using your **Client ID** and **Secret**. ### Get your credentials 1. Log in to [dashboard.truv.com](https://dashboard.truv.com) 2. Navigate to **Development** → **API Keys** 3. Copy your credentials **Keep your API Secret secure!** * Never expose your secret in client-side code * Don't commit credentials to version control * Use environment variables in production **Protect each Link's `access_token`** The `access_token` returned when a user connects a provider grants ongoing access to that user's data. Keep it on your backend, never in client-side code, and associate it with the user in your system. See [Bridge token best practices](/developers/best-practices/bridge-token). *** ## Authentication headers Include these headers in every API request: ```bash theme={null} X-Access-Client-Id: your_client_id X-Access-Secret: your_api_secret ``` ### Example Request ```bash theme={null} curl -X GET https://prod.truv.com/v1/users/ \ -H "X-Access-Client-Id: YOUR_TRUV_CLIENT_ID" \ -H "X-Access-Secret: YOUR_TRUV_CLIENT_SECRET" \ -H "Content-Type: application/json" ``` *** ## Environments | Environment | Base URL | Purpose | | -------------- | --------------------------- | ----------------------------------------- | | **Sandbox** | `https://prod.truv.com/v1/` | Testing with predefined sample data | | **Production** | `https://prod.truv.com/v1/` | Live data, each successful task is billed | Your Access Secret prefix determines the environment: | Prefix | Environment | Example | | ---------- | ----------- | -------------------------------------------------- | | `sandbox-` | Sandbox | `sandbox-a57b3109f1f4a8b3f2ebbc1c526950f1795464af` | | `prod-` | Production | `prod-e82c4f19d3a7b6e5f0c8d2a1b4e7f3a6d9c2b5e8` | Sandbox and production use the same base URL. Your Access Secret prefix determines which environment the request is routed to. *** ## API Key Rotation Rotate your API keys periodically or whenever credentials may have been compromised. ### Dashboard-Only Integrations If you create [Orders](/developers/integration/hosted-orders/new-user) exclusively through the Dashboard: 1. Create a new key in the [Truv Dashboard API Keys page](https://dashboard.truv.com/app/development/keys) 2. Delete the old key. Pending transactions with the original key continue to process ### API Integrations For embedded solutions or Orders created via the API: Generate a new key in the Truv Dashboard. Create a sandbox key first to test before updating production. Search your code for the `X-Access-Secret` header and replace the old key everywhere. Remove outdated keys to reduce risk. Pending transactions with the original key continue to process. Deleting keys cannot be undone. Confirm the new key is working before deleting the old one. *** ## Security For webhook verification and data protection guidelines, see the [Security](/api-reference/security) section. *** ## Next steps Understand orders, links, tasks, and the Truv data model Data protection, encryption, and compliance guidelines