Authentication
The VisiSign API uses API keys for authentication. Every request must include a valid key in the Authorization header.
API key format
Section titled “API key format”Keys are prefixed with vsk_ followed by a 48-character hex string:
vsk_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6The full key is only shown once at creation. VisiSign stores a SHA-256 hash of the key — we can never retrieve the original.
Using your key
Section titled “Using your key”Pass the key as a Bearer token:
curl https://api.visisign.app/v1/signature_requests \ -H "Authorization: Bearer vsk_your_key_here"Key management
Section titled “Key management”Create a key
Section titled “Create a key”Go to Settings > API Keys in the VisiSign dashboard, or use the dashboard UI to generate a key. Keys are scoped to your organization.
Revoke a key
Section titled “Revoke a key”Click Revoke next to any key in Settings. Revoked keys immediately stop working and cannot be restored.
Key metadata
Section titled “Key metadata”Each key tracks:
| Field | Description |
|---|---|
name | Display name you chose at creation |
prefix | First 12 characters (e.g. vsk_a1b2c3d4) for identification |
last_used_at | Timestamp of the most recent API request |
created_at | When the key was generated |
Security best practices
Section titled “Security best practices”- Never commit keys to source control. Use environment variables or a secrets manager.
- Use separate keys for production and development.
- Rotate keys periodically. Create a new key, update your integration, then revoke the old one.
- Revoke compromised keys immediately. There is no way to “pause” a key — revoke it and create a new one.
Error responses
Section titled “Error responses”Requests with missing or invalid keys return 401 Unauthorized:
{ "error": { "type": "unauthorized", "message": "Invalid or missing API key." }}Requests with a revoked or expired key also return 401.