Description

Persona is an identity verification platform used by companies to verify user identities, run background checks, and manage compliance workflows. Persona API keys grant access to sensitive identity verification data including PII, government IDs, and verification results.

Persona API keys use a self-identifying format with a persona_ prefix followed by the environment (sandbox or production) and a UUID:

persona_sandbox_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
persona_production_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Key Details

• Regex: persona_(?:sandbox|production)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
• Keywords: persona_sandbox_, persona_production_
• Verification endpoint: GET https://withpersona.com/api/v1/api-keys/permissions with Authorization: Bearer <key>
  • 200 → verified
  • 401/403 → unverified
  • Other → indeterminate

Extra Data

On successful verification, the detector extracts:

• Organization ID and Environment ID (from response headers)
• API key name, permissions, and expiration (from response body)
• Whether the key is sandbox or production (from the key prefix)

Context

I work at Persona and will be opening a PR with the implementation shortly.

References

• Persona API docs: https://docs.withpersona.com/reference