Authentication

Everything you need to authenticate against the Signstack API.

Three credential types are involved:

API key — a long-lived secret minted in Studio (or via POST .../api-keys). Format: sk_ns_<mode>_<keyId>_<secret>. Scoped to a single namespace; inherits the namespace's mode (live or test). Carries a fixed set of scopes chosen at creation time. The full secret is shown only once — store it immediately. Never expose it in client-side code.
Access token — a short-lived JWT (1 hour) you obtain by exchanging the API key at POST /v1/auth/token. Send it as Authorization: Bearer <token> on every other request. Refresh proactively before expiry rather than reactively on 401.
Embed token — a short-lived, intent-scoped JWT minted at POST .../auth/embed. Pass to a SignStack web component (<ss-signing-embed>, <ss-workflow-editor>, <ss-workflow-monitor>, <ss-resource-editor>). Safe to send to the browser; the long-lived API key and access token must never leave your backend.

The operations below cover all three: minting and managing API keys, exchanging keys for access tokens, and minting embed tokens for the browser. The full scope catalog lists every available scope with recipes for common integration patterns.

Authentication Operations

post/v1/auth/token
get/v1/orgs/{orgId}/namespaces/{namespaceKey}/api-keys
post/v1/orgs/{orgId}/namespaces/{namespaceKey}/api-keys
post/v1/orgs/{orgId}/namespaces/{namespaceKey}/api-keys/{keyId}/revoke
post/v1/orgs/{orgId}/namespaces/{namespaceKey}/auth/embed