Skip to main content
Authentication is based on verifying the request signature using the project’s secret key. The secret key is issued when creating a project and must be stored securely. Sending the secret key in plain text is prohibited.

x-signature Header

The signature must be included in every request to protected endpoints.
x-signature: <signature>

Data for Signature

The signature is generated using the raw HTTP request body. Requirements:
  • the request body must be signed exactly as-is;
  • the order of JSON fields must not change;
  • re-serialization or formatting is not allowed.
Even a minimal change to the request body will result in an invalid_signature error.

Signature Verification Process

  1. The client prepares the JSON request body.
  2. The client calculates the signature using the secret key.
  3. The client sends the signature in the x-signature header.
  4. The server:
  • extracts the raw body;
  • identifies the project using project_uid;
  • verifies the signature.
If verification fails, the server returns 403 invalid_signature.

Authentication Errors

HTTP CodeErrorDescription
403invalid_signatureSignature is missing or incorrect
404project_not_foundProject not found
400invalid_requestInvalid request format