Authentication
The inSigner API uses API keys with Bearer token authentication. Every request must include a valid API key in the Authorization header.
Creating an API key
Section titled “Creating an API key”- Go to Dashboard → Developers → API Keys in the inSigner web app.
- Click Create API Key.
- Give your key a name (e.g. “Production Backend”) and select the scopes you need.
- Click Create. Your key is displayed once — copy it immediately.
Making authenticated requests
Section titled “Making authenticated requests”Include your API key in the Authorization header as a Bearer token:
curl -X GET https://app.insigner.co/api/v1/documents \ -H "Authorization: Bearer isk_YOUR_API_KEY"const res = await fetch('https://app.insigner.co/api/v1/documents', { headers: { 'Authorization': 'Bearer isk_YOUR_API_KEY' }});import requests
res = requests.get( "https://app.insigner.co/api/v1/documents", headers={"Authorization": "Bearer isk_YOUR_API_KEY"})Key format
Section titled “Key format”All inSigner API keys start with the prefix isk_ followed by 44 characters of URL-safe random data:
isk_A1b2C3d4E5f6G7h8I9j0K1l2M3n4O5p6Q7r8S9t0U1v2Keys that don’t start with isk_ are rejected immediately.
Scopes
Section titled “Scopes”Scopes control what resources an API key can access. You can assign granular scopes or use the wildcard * for full access.
| Scope | Description |
|---|---|
* | Full access to all resources |
documents.* | Full access to documents |
documents.read | List and retrieve documents |
documents.create | Create new documents |
documents.write | Update documents, add fields/signers, upload files |
documents.send | Send documents and reminders |
documents.delete | Delete documents |
templates.read | List and retrieve templates |
campaigns.* | Full access to campaigns |
campaigns.read | List and retrieve campaigns |
campaigns.create | Create campaigns |
campaigns.update | Update campaigns |
campaigns.delete | Delete campaigns |
bulk_sends.* | Full access to bulk sends |
bulk_sends.read | List and retrieve bulk sends |
bulk_sends.create | Create bulk sends |
bulk_sends.delete | Delete bulk sends |
webhooks.* | Full access to webhooks |
webhooks.read | List and retrieve webhooks |
webhooks.create | Create webhooks |
webhooks.update | Update webhooks |
webhooks.delete | Delete webhooks |
org.read | Read organization info and members |
Wildcard scopes like documents.* match all sub-scopes (e.g. documents.read, documents.create, etc.).
Key security best practices
Section titled “Key security best practices”- Never commit keys to version control. Use environment variables or a secrets manager.
- Use the minimum scopes needed. A key that only reads documents should not have
documents.delete. - Rotate keys regularly. Revoke old keys from the dashboard and create new ones.
- Use separate keys per environment. Don’t share keys between production and development.
- Monitor usage. Check the API Logs page in the dashboard for unusual activity.
Authentication errors
Section titled “Authentication errors”| Status | Error Code | Description |
|---|---|---|
401 | MISSING_KEY | No Authorization header or not using Bearer scheme |
401 | INVALID_FORMAT | Key doesn’t start with isk_ |
401 | INVALID_KEY | Key not found or doesn’t match |
401 | KEY_REVOKED | Key has been revoked from the dashboard |
401 | KEY_EXPIRED | Key has passed its expiration date |
403 | INSUFFICIENT_SCOPE | Key lacks the required scope for this endpoint |
Example error response:
{ "type": "https://docs.insigner.com/errors/unauthorized", "title": "Unauthorized", "status": 401, "detail": "Invalid or missing API key"}