What authentication methods does Privacy.com support for its API?

Privacy.com's API primarily supports authentication using API keys. These keys are passed in the 'Authorization' header of HTTP requests using the Basic authentication scheme.

How do I get an API key for Privacy.com?

You can generate an API key by logging into your Privacy.com account, navigating to the 'Developers' or 'API' section in your settings, and following the prompts to create a new key. Remember to store it securely immediately after generation.

Is multi-factor authentication (MFA) available for Privacy.com accounts?

Yes, Privacy.com supports multi-factor authentication (MFA) for user accounts. It is highly recommended to enable MFA for an additional layer of security against unauthorized access.

How should I securely store my Privacy.com API key?

API keys should never be hardcoded into your application. Instead, store them securely using environment variables, dedicated secret management services, or configuration files that are excluded from version control.

What is the format for including the API key in a Privacy.com API request?

The API key should be included in the 'Authorization' header of your HTTP request. You'll use the Basic authentication scheme, where your API key serves as the username and the password field is left empty (e.g., encoded as 'YOUR_API_KEY:').

Does Privacy.com support OAuth for API authentication?

Privacy.com's primary API authentication method is API keys. The documentation does not indicate support for OAuth for direct developer API access at this time.

What kind of security compliance does Privacy.com uphold?

Privacy.com is SOC 2 Type II compliant, demonstrating adherence to rigorous standards for security, availability, processing integrity, confidentiality, and privacy.

Privacy.com Authentication: API & Account Security (2026)

Authentication overview

Privacy.com provides distinct authentication mechanisms for its API and its user-facing applications. The API is designed for developers to programmatically interact with the Privacy.com platform, primarily for virtual card creation and management, while the web and mobile applications are for end-users to manage their accounts and virtual cards directly. Both methods are designed to secure access to financial information and transaction controls.

For API interactions, authentication relies on API keys, which are long, unique strings that authorize requests. These keys grant access to specific functionalities depending on the permissions assigned. The API enables operations such as listing cards, creating new virtual cards, updating card limits, and closing cards programmatically, as detailed in the Privacy.com API documentation.

User authentication for the Privacy.com web dashboard and mobile apps follows standard practices, typically involving a username (email address) and password. This is often supplemented with multi-factor authentication (MFA) to provide an additional layer of security, verifying a user's identity through a second factor, such as a code from an authenticator app or an SMS code, before granting access to their account and financial details.

The system is built with security considerations in mind, maintaining SOC 2 Type II compliance, which indicates adherence to specific trust service principles for security, availability, processing integrity, confidentiality, and privacy.

Supported authentication methods

Privacy.com employs different authentication methods tailored to the specific interface and use case. The primary methods include API Key authentication for programmatic access and traditional username/password with MFA for user-facing applications.

Method	When to Use	Security Level
API Key	Programmatic access via the Privacy.com API (e.g., creating virtual cards, managing transactions from custom applications).	High (requires secure handling of the key; permissions can be scoped).
Username/Password + MFA	Logging into the Privacy.com web dashboard or mobile applications to manage account settings, view transactions, and create cards manually.	High (MFA adds significant protection against unauthorized access even if passwords are compromised).

API keys are a common method for authenticating requests to web services, offering a balance between security and ease of implementation for developers. They function as a secret token that clients include with their API requests to prove their identity and obtain authorization. For further reading on API key authentication, the MDN Web Docs on HTTP Authentication provide a general overview of authentication concepts in web development.

Multi-factor authentication (MFA) is a critical security feature enhancing the protection of user accounts. By requiring two or more verification factors, MFA significantly reduces the risk of unauthorized access. The FIDO Alliance provides extensive resources on strong authentication standards and the benefits of moving beyond single-factor authentication.

Getting your credentials

To access the Privacy.com API, you must obtain an API key from your Privacy.com account dashboard. This process typically involves a few steps:

Log In to Privacy.com: Access your account through the Privacy.com website.
Navigate to API Settings: Once logged in, locate the 'Developers' or 'API' section within your account settings. The exact path may vary but is usually found under profile or security settings.
Generate API Key: Within the API section, there will be an option to generate a new API key. It's common practice for platforms to allow the generation of multiple keys, which can be useful for different applications or environments. When generating a key, you may be prompted to name it for identification purposes.
Securely Store Your Key: Once generated, the API key is typically displayed only once. It is crucial to copy and store this key immediately and securely. Best practices dictate never hardcoding API keys directly into your application's source code. Instead, use environment variables or a secure secret management system.
Understand Key Permissions: Review any permissions or scopes associated with the API key during its generation. Some platforms allow you to restrict what an API key can do (e.g., read-only access, specific resource access). While Privacy.com's documentation doesn't specify granular key permissions, it's a general practice to be aware of.

For user authentication to the Privacy.com dashboard or mobile apps, credentials are set up during the account creation process. This involves choosing a strong, unique password and, whenever possible, enabling multi-factor authentication (MFA) through the account's security settings. Privacy.com supports common MFA methods like authenticator apps (e.g., Google Authenticator, Authy) or SMS-based codes.

Authenticated request example

When making API requests to Privacy.com, your API key must be included in the request headers for authentication. The Privacy.com API expects the API key to be sent in the Authorization header using the Basic scheme, where the username is your API key and the password is an empty string. This is a common pattern for simple API key authentication.

Here's an example of how you might make an authenticated request to list your virtual cards using curl, which is a common command-line tool for making HTTP requests:

curl -X GET \
  'https://api.privacy.com/v1/cards' \
  -H 'Authorization: Basic YOUR_API_KEY_ENCODED_AS_BASE64' \
  -H 'Content-Type: application/json'

Note on YOUR_API_KEY_ENCODED_AS_BASE64: The Authorization: Basic header requires the API key to be base64 encoded. Specifically, you encode the string YOUR_API_KEY: (including the colon and empty password) into base64. Many HTTP client libraries handle this encoding automatically if you provide the username and an empty password. For example, if your API key is sk_live_YOUR_KEY_HERE, you would encode sk_live_YOUR_KEY_HERE:. A typical base64 encoded string would look something like c2tfbGl2ZV9ZT1VSX0tFWV9IRVJFOg==.

In a programming language like Python, using the requests library, this might look like:

import requests
import os

api_key = os.getenv('PRIVACY_API_KEY') # Securely retrieve API key from environment variable

if api_key:
    url = "https://api.privacy.com/v1/cards"
    headers = {
        "Content-Type": "application/json"
    }
    response = requests.get(url, auth=(api_key, '')) # requests library handles Basic auth encoding

    if response.status_code == 200:
        print("Successfully retrieved cards:")
        print(response.json())
    else:
        print(f"Error: {response.status_code} - {response.text}")
else:
    print("PRIVACY_API_KEY environment variable not set.")

This Python example demonstrates retrieving the API key from an environment variable, a recommended security practice, and then using the requests library's built-in auth parameter to handle the Basic authentication encoding automatically. This method ensures that the API key is transmitted securely in the HTTP request headers.

Security best practices

Implementing strong security practices for authentication with Privacy.com is essential to protect your financial data and prevent unauthorized access to your virtual cards. Both API keys and user accounts require careful management.

API Key Management:
- Secure Storage: Never embed API keys directly in your source code. Use environment variables, configuration files that are not committed to version control, or dedicated secret management services (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault, or HashiCorp Vault).
- Access Control: Limit who has access to your API keys. Restrict file permissions for configuration files containing keys.
- Rotation: Regularly rotate your API keys. If a key is compromised, revoking it and issuing a new one minimizes the window of exposure. Privacy.com's dashboard should provide functionality to revoke existing keys and generate new ones.
- Principle of Least Privilege: If Privacy.com's API allows for scoped API keys (i.e., keys with limited permissions), generate keys with only the necessary permissions required for the specific task. This reduces the impact of a compromised key.
- Monitor Usage: Keep an eye on API usage logs for any unusual activity that might indicate a compromised key.
User Account Security:
- Strong, Unique Passwords: Use complex passwords for your Privacy.com account that are unique and not reused on other services. Password managers can help generate and store these securely.
- Enable Multi-Factor Authentication (MFA): Always enable MFA for your Privacy.com account. This adds a critical layer of security by requiring a second verification step, typically a code from an authenticator app or an SMS code, in addition to your password.
- Regularly Review Activity: Periodically review your transaction history and account activity within Privacy.com to detect any unauthorized actions.
- Phishing Awareness: Be wary of phishing attempts. Always verify the URL before entering your Privacy.com credentials and be suspicious of unsolicited emails or messages asking for account information.
- Session Management: Log out of your Privacy.com account when not actively using it, especially on shared or public computers.
Webhook Security:
- If you are using Privacy.com webhooks (mentioned in developer experience notes), ensure your endpoint validates the signature of incoming webhooks to confirm they originate from Privacy.com and have not been tampered with. This is a standard security practice for webhooks across platforms, as detailed in Stripe's webhook security guide, which provides a general framework for understanding webhook signature validation.
- Process webhooks over HTTPS to encrypt the communication between Privacy.com and your server.

Adhering to these security best practices helps maintain the integrity and confidentiality of your Privacy.com account and virtual card data, whether you are interacting through the API or the user interface.