API Reference v1.0
Home Industries Dashboard Trust Registry GitHub

Authentication

JustYes.ID uses two authentication methods depending on the endpoint type. Public endpoints (Trust Registry, JWKS, Directory) require no authentication.

Ghost Secret (Server-Side)
X-JustYes-API-Key: sk_live_...
Your Ghost Secret key. Used for server-to-server calls only. Generated in your Partner Dashboard under API Keys. Treat it like a password.
Ghost Public (Client-Side)
pk_live_...  |  Authorization: Bearer <token>
Your Ghost Public key (pk_live_) is safe for frontend embed snippets. Dashboard endpoints use a Bearer token from POST /partners/login (expires 24h).
Never expose your Ghost Secret (sk_live_) in frontend code. Use the Ghost Public key (pk_live_) for client-side integrations. The Ghost Secret should only live on your server.

The Ghost Proof — What Partners Receive

JustYes.ID never shares PII. Partners receive only a signed cryptographic attestation.

GHOST PROOF 
200 OK{
  "verified": true,
  "age_gate": "21+",
  "trust_root": "state:LA",
  "state_authority": "LA_ACT_440",
  "receipt_id": "JYID-2026-9A2B7F3D",
  "timestamp": "2026-04-01T15:00:00Z",
  "schnorr_proof": "0x7f3a...92a1",
  "pii_shared": "none",
  "token_type": "Bearer",
  "expires_in": 3600
}
Zero PII transmitted — Ghost Verified

Sandbox Mode — Try It Out

Use the mock client vlt_test_123 to test the verification flow without a real merchant account. Sandbox requests skip AWS Rekognition and return instant mock results. Set the header X-Sandbox: true or use the test slug.