Authentication
Learn how to authenticate with the SignEngine API using API keys.
API Keys
SignEngine uses API keys to authenticate requests. You can create and manage API keys in your dashboard.
Creating an API Key
- Log in to your SignEngine dashboard
- Navigate to Settings → API Keys
- Click Create API Key
- Give your key a descriptive name (e.g., "Production Server", "Development")
- Copy the key immediately - it won't be shown again!
Never commit API keys to version control. Always use environment variables or secure secret management systems.
Using API Keys
Include your API key in the Authorization header of every request:
GET /api/v1/envelopes HTTP/1.1
Host: api.signengine.dev
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json
SDK Authentication
All SDKs handle authentication automatically when you provide your API key:
- TypeScript/JavaScript
- Python
import { SignEngineClient } from '@signengine/api-client';
const client = new SignEngineClient({
apiKey: process.env.SIGNENGINE_API_KEY,
});
// All requests are automatically authenticated
const envelopes = await client.envelopes.list();
from signengine import SignEngineClient
import os
client = SignEngineClient(api_key=os.getenv('SIGNENGINE_API_KEY'))
# All requests are automatically authenticated
envelopes = client.envelopes.list()
API Key Scopes
API keys can have different permission scopes:
| Scope | Description |
|---|---|
envelopes:read | Read envelope data |
envelopes:write | Create and update envelopes |
templates:read | Read template data |
templates:write | Create and update templates |
webhooks:read | Read webhook configurations |
webhooks:write | Create and update webhooks |
account:read | Read account information |
Create separate API keys for different environments (development, staging, production) and use the minimum required scopes.
Security Best Practices
1. Store Keys Securely
❌ Don't do this:
const client = new SignEngineClient({
apiKey: 'sk_live_1234567890abcdef', // Hardcoded!
});
✅ Do this:
const client = new SignEngineClient({
apiKey: process.env.SIGNENGINE_API_KEY, // From environment
});
2. Rotate Keys Regularly
- Rotate API keys every 90 days
- Immediately rotate if a key is compromised
- Use multiple keys and rotate them one at a time
3. Use Different Keys Per Environment
# Development
SIGNENGINE_API_KEY=sk_test_dev123...
# Staging
SIGNENGINE_API_KEY=sk_test_staging456...
# Production
SIGNENGINE_API_KEY=sk_live_prod789...
4. Monitor API Key Usage
Check your dashboard regularly for:
- Unexpected API calls
- Failed authentication attempts
- Unusual usage patterns
Rate Limiting
API keys are subject to rate limits:
- Free tier: 100 requests/minute
- Pro tier: 1,000 requests/minute
- Enterprise: Custom limits
See Rate Limiting for more details.
Troubleshooting
Invalid API Key
{
"error": {
"code": "invalid_api_key",
"message": "The API key provided is invalid"
}
}
Solution: Verify your API key is correct and hasn't been deleted.
Insufficient Permissions
{
"error": {
"code": "insufficient_permissions",
"message": "This API key does not have permission to perform this action"
}
}
Solution: Check your API key scopes and create a new key with the required permissions.
Next Steps
- Quick Start - Send your first document
- API Reference - Explore all endpoints
- Rate Limiting - Understand rate limits