TREVEX KYB Documentation

All requests (except verify_account) require an API key in the Authorization header.

Authorization header

1 Authorization: Api-Key <your_api_key>

How to get credentials

API keys are issued per Project by the TREVEX team. Contact your account manager or email integrations@trevex.io to provision a Project for your integration. You’ll receive two separate secrets:

Secret	Used for	Header / Usage
API key	Authenticating your requests to TREVEX	`Authorization: Api-Key ...`
Webhook signing secret	Verifying that inbound webhooks genuinely came from TREVEX	HMAC-SHA256 - see Webhooks

Each Project must also have a webhook_url configured to receive approval notifications.

Example request

$ curl -X GET 'https://api.trevex.io/apis/email/user_lookup/?email=john.doe@example.com' \
>   -H 'Authorization: Api-Key YOUR_API_KEY'

Security notes

Treat API keys and webhook signing secrets as production credentials. Store them in a secret manager, not in source control. Rotate immediately if either is exposed.

API keys scope to a single Project. Different environments (staging, prod) should use different keys.
Webhook signing secrets are separate from API keys. Losing or rotating one doesn’t affect the other.
If either secret is compromised, notify TREVEX to revoke it.
The verify_account endpoint is public by design - it is hit by the user’s browser from the email verification link.