Authentication
Header format
All Sahayak APIs accept a single header:
Authorization: Bearer <your_key>
Keys are tier-prefixed:
| Prefix | Tier | Where issued |
|---|---|---|
sk_sandbox_ | Sandbox (free) | Email request, 4-hour SLA |
sk_starter_ | Starter (₹4,999/mo) | Razorpay checkout completion |
sk_growth_ | Growth (₹19,999/mo) | Razorpay checkout completion |
sk_scale_ | Scale (custom) | Direct from founder after onboarding call |
Each prefix is a 12-char marker followed by 32 random base62 characters. Total length 44 characters.
Environment separation
Keys are environment-locked. A sk_starter_ key cannot make calls in sandbox endpoints; sk_sandbox_ keys cannot reach live billing-eligible endpoints. This prevents accidental staging-to-production leakage.
If you operate dev/staging/prod environments, request three separate sk_starter_ (or sk_growth_) keys at the same paid tier. Each key bills against the same monthly cap, but rate limits and quotas are tracked per-key — useful for staging traffic isolation.
Key rotation
Mandatory 90-day rotation. Keys older than 90 days are flagged for rotation; keys older than 180 days are auto-disabled. Both events trigger an email to your registered tech contact 14 days in advance.
Rotation procedure:
- Request rotation — Email prafful@sahayakonline.co.in with your current key prefix (last 4 chars only — never paste the full key in email).
- Receive new key — A new key is issued within 1 working hour. Both old and new keys remain active for 7 days.
- Cut over your callers — Update your secret store, redeploy. Verify all calls use the new key (the audit-log endpoint accepts
Authorizationof either key during cutover). - Confirm cutover — Reply to the rotation email confirming all callers are on the new key. The old key is revoked within 24 hours of confirmation.
Webhook signature verification (consent-flow APIs)
A small number of APIs (DigiLocker NAD, RERA project status updates) emit webhooks. Each webhook is signed with HMAC-SHA256 over the raw request body using your customer-specific webhook secret (issued at onboarding).
- Python
- Node.js
import hmac, hashlib, os
def verify(raw_body: bytes, signature_header: str) -> bool:
expected = hmac.new(
os.environ["SAHAYAK_WEBHOOK_SECRET"].encode(),
raw_body,
hashlib.sha256,
).hexdigest()
return hmac.compare_digest(expected, signature_header)
import { createHmac, timingSafeEqual } from 'crypto';
export function verify(rawBody, signatureHeader) {
const expected = createHmac('sha256', process.env.SAHAYAK_WEBHOOK_SECRET)
.update(rawBody)
.digest('hex');
return timingSafeEqual(
Buffer.from(expected, 'hex'),
Buffer.from(signatureHeader, 'hex'),
);
}
The signature is sent in the X-Sahayak-Signature header.
Compromised-key procedure
If you suspect a key leak (committed to git, posted in support chat, exposed in a log):
- Email prafful@sahayakonline.co.in with subject "Compromised Key — IMMEDIATE".
- Include the prefix + last 4 chars of the leaked key.
- We disable the key within 30 minutes (24-hour SLA on this is hard) and issue a replacement.
- We share the access log of the leaked key (last 30 days) with your security team within 4 working hours.
There is no charge for emergency rotation.
Storage recommendations
Never put the key in:
- Source control (use git secret-scanning hooks)
- Browser-side JavaScript (always proxy through your backend)
- Mobile app bundles (decompiled in seconds)
- Slack/Email where retrieval-by-search is easy
Do put the key in:
- Secret managers (AWS Secrets Manager, Vault, GCP Secret Manager)
- Environment variables sourced from those managers at process start
- Containers' encrypted environment, never their filesystem