Auth by operation
| Operation | Auth |
|---|
POST /api/v1/verification | Signed standard string, or advanced server path with access key + X-Neus-App |
GET /api/v1/proofs/{qHash} | Public metadata for public/unlisted; private needs owner rules |
| Private payload reads | Owner signature / SDK helpers |
Do Not
- Do not treat proof signatures as bearer tokens (they are request-bound)
- Do not embed secrets in browser bundles
- Do not call the NEUS API from browser JavaScript with hand-written
fetch and custom headers; use SDK or Hosted Verify, or proxy through your server
- Do not log or persist:
- proof signatures
- API keys
- third-party auth credentials or provider tokens
Defaults
client.verify() defaults private. VerifyGate uses Hosted Verify with the published gate policy. Security and trust
If you need proof reuse without owner-authenticated access, opt into unlisted public explicitly:
const proofOptions = {
privacyLevel: 'public',
publicDisplay: false,
};
| Control | Purpose |
|---|
privacyLevel | Default private; switch to public only for intentional public reuse |
publicDisplay | Discovery vs unlisted |
storeOriginalContent | Advanced storage control |
Unlisted public proofs are still public to anyone with the qHash.
