Back to Docs

Authentication & API Keys

ComplianceGrid uses OAuth 2.0 Bearer tokens as the primary authentication method. Exchange your credentials for a short-lived token via the client_credentials grant, then pass it in the Authorization header.

Reading time: 5 minLast updated: Feb 2026

API Key Types

ComplianceGrid uses prefixed API keys so you can instantly identify the environment and type at a glance.

cg_sk_*Sandbox KeySandbox

Returns mock/canned data. Free to use, no billing. Rate limited to 60 req/min, 1,000 req/day.

Routes to → sandbox.api.compliancegrid.ai

cg_pk_*Production KeyProduction

Accesses real government data sources. Billed at $0.01 per call. Full rate limits apply.

Routes to → api.compliancegrid.ai

cg_client_*Client IDBoth

Your application identifier for the OAuth 2.0 client_credentials flow. Not a secret — safe to store in config.

Method 1: OAuth 2.0 Bearer Token (Recommended)

Exchange your Client ID + API key for a short-lived Bearer token. This is the recommended approach for all integrations — tokens are scoped, short-lived, and follow OAuth 2.0 best practices.

Step 1: Exchange credentials for a token

oauth-token.sh
curl -X POST https://sandbox.api.compliancegrid.ai/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=cg_client_your_client_id" \
  -d "client_secret=cg_sk_your_sandbox_key"

# Response:
# {
#   "access_token": "eyJhbGciOiJSUzI1NiI...",
#   "token_type": "Bearer",
#   "expires_in": 86400,
#   "scope": "compliance:read hs:read pharma:read ...",
#   "environment": "sandbox"
# }

Step 2: Use the Bearer token in requests

bearer-request.sh
curl -X POST https://sandbox.api.compliancegrid.ai/v1/compliance/restricted-party-screening \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiI..." \
  -H "Content-Type: application/json" \
  -d '{"parties": [{"name": "Huawei Technologies", "country": "CN"}]}'

Token Lifetime

Sandbox tokens expire in 24 hours. Production tokens expire in 1 hour. Refresh by requesting a new token.

Scopes

Tokens are scoped to the API verticals your subscription includes. Check the scope field in the token response.

Method 2: Direct API Key Header (Alternative)

For quick testing, you can pass your API key directly in the x-api-key header. No token exchange required. We recommend upgrading to Bearer tokens for production use.

direct-api-key.sh
# Sandbox — returns mock data
curl -X POST https://sandbox.api.compliancegrid.ai/v1/compliance/restricted-party-screening \
  -H "Content-Type: application/json" \
  -H "x-api-key: cg_sk_your_sandbox_key_here" \
  -d '{"parties": [{"name": "Huawei Technologies", "country": "CN"}]}'

# Production — real government data, billed
curl -X POST https://api.compliancegrid.ai/v1/compliance/restricted-party-screening \
  -H "Content-Type: application/json" \
  -H "x-api-key: cg_pk_your_production_key_here" \
  -d '{"parties": [{"name": "Huawei Technologies", "country": "CN"}]}'

Note: Direct API key usage is supported for convenience but Bearer tokens are recommended for production. Bearer tokens are short-lived, scoped, and revocable — reducing the blast radius of a compromised credential.

SDK Authentication

The official SDKs handle authentication and routing for you. Just pass your API key and the SDK does the rest.

auth.ts
import ComplianceGrid from "@compliancegrid/sdk";

// SDK auto-routes based on key prefix
const cg = new ComplianceGrid({
  apiKey: process.env.COMPLIANCEGRID_API_KEY,
});

// cg_sk_ → sandbox.api.compliancegrid.ai
// cg_pk_ → api.compliancegrid.ai
auth.py
from compliancegrid import ComplianceGrid

# SDK auto-routes based on key prefix
cg = ComplianceGrid(
    api_key=os.environ["COMPLIANCEGRID_API_KEY"]
)

# cg_sk_ → sandbox.api.compliancegrid.ai
# cg_pk_ → api.compliancegrid.ai

Security Best Practices

Never expose keys in client-side code

API keys should only be used server-side. Never embed them in frontend JavaScript, mobile apps, or public repositories.

Use environment variables

Store keys in environment variables or a secrets manager. Never hardcode them in source files.

Rotate keys regularly

Use the Developer Portal to rotate keys. The old key remains valid for 24 hours after rotation to allow migration.

Use sandbox keys for development

Sandbox keys (cg_sk_) are free and return mock data. Use them during development and testing to avoid accidental production charges.

Monitor usage in the Developer Portal

Check the Usage tab regularly for unexpected spikes. Set up alerts if unusual activity is detected.

Sandbox vs Production

Learn the differences between environments

Rate Limits

Understand request limits and quotas

SDKs & Libraries

Install the official TypeScript or Python SDK