> ## Documentation Index
> Fetch the complete documentation index at: https://docs.redfancy.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication and Signature

> All calls require the `x-signature` header

Authentication is based on verifying the request signature using the project's secret key. The secret key is issued when creating a project and **must be stored securely**. Sending the secret key in plain text is prohibited.

## `x-signature` Header

The signature must be included in every request to protected endpoints.

```
x-signature: <signature>
```

## Data for Signature

The signature is generated using the **raw HTTP request body**.

Requirements:

* the request body must be signed exactly as-is;
* the order of JSON fields must not change;
* re-serialization or formatting is not allowed.

> Even a minimal change to the request body will result in an `invalid_signature` error.

## Signature Verification Process

1. The client prepares the JSON request body.
2. The client calculates the signature using the secret key.
3. The client sends the signature in the `x-signature` header.
4. The server:

* extracts the raw body;
* identifies the project using `project_uid`;
* verifies the signature.

If verification fails, the server returns `403 invalid_signature`.

## Authentication Errors

| HTTP Code | Error               | Description                       |
| --------- | ------------------- | --------------------------------- |
| 403       | `invalid_signature` | Signature is missing or incorrect |
| 404       | `project_not_found` | Project not found                 |
| 400       | `invalid_request`   | Invalid request format            |
