Image API Authentication

The CertiLock Image API uses a simple API-key authentication scheme. All requests to /api/image and /api/image-random must include a valid key.

How Authentication Works

The ImageAPI controller calls its private verify(Request $request) method before processing any request. When verification fails, the controller returns:

HTTP 401
{"error": "401 Unauthorized. Access Not Allowed"}

Providing the API Key

Include the API key as a query parameter in every request:

GET /api/image?serial_number=SN123456&api_key=YOUR_API_KEY

Managing API Keys

API keys are stored in the application configuration or environment variables. Contact the platform administrator to obtain a key or rotate an existing one.

Security

Never expose API keys in client-side JavaScript or publicly accessible repositories. Always call the Image API from a trusted server-side context.

S3 Access

The API itself communicates with AWS S3 using the credentials defined in the environment:

AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=certilock-storage

The S3 bucket should not be publicly accessible. All access is routed through this middleware, which enforces API-key authentication before proxying requests to S3.

How Authentication Works​

Providing the API Key​

Managing API Keys​

S3 Access​

How Authentication Works

Providing the API Key

Managing API Keys

S3 Access