letssign.now
Start now
letssign.now docs

Authentication

Bearer API keys — minting, rotating, revoking. The keys are workspace-scoped — no tenant header needed.

Every request to https://api.letssign.now/v1/* carries a Bearer token in the Authorization header.

Authorization: Bearer lsk_live_a1b2c3d4e5f6...

Keys are workspace-scoped — the bearer token alone tells the API which workspace, brand, hosting region, and reply-to address to use. There's no tenant header, no slug param, no signature on the request. Anything that has the key can act as the workspace.

Minting a key

In your workspace dashboard, open Developers → API keys and click Create API key.

  • We show the lsk_live_… plaintext once, in a copy-and-confirm modal. Store it in your secret manager (1Password, Doppler, AWS Secrets Manager, GitHub Actions secrets) immediately — there's no recovery if you lose it.
  • The dashboard keeps the first 12 characters as a non-secret identifier (lsk_live_a1b2…) so you can label rows in the audit log later.

Rotating a key

Rotation is "two keys live for a moment" rather than "regenerate":

  1. Create a new key. Both old and new are now active. Update one deployment to use the new key.
  2. Revoke the old key. From Developers → API keys, hit the Revoke button. Revocation is immediate — the next request with the old key returns 401 invalid_key.

This pattern means you can roll a key without a sub-second outage window. We don't support "scheduled rotation" or auto-expiry yet — ask if you need it.

Revoking

Same place: hit Revoke on a row. Effective immediately. The audit trail records who revoked it and when.

Error shape

Bad, missing, or revoked keys all return:

HTTP/1.1 401 Unauthorized
Content-Type: application/json

{
  "error": "Unauthorized",
  "code":  "invalid_key"
}

The code field is stable — pin your error handling to that, not the human-readable error message which we may improve over time.

Security checklist

Never commit keys. Ship them via your secrets manager, environment variable, or platform vault. Treat a leaked key the same as a leaked password — revoke immediately and audit recent activity.

  • All API calls go over TLS 1.2+. Pin certs if you're extra-paranoid; we use Let's Encrypt with normal renewal.
  • Keys are bearer tokens — there's no extra signing scheme on the request body. If you want HMAC-signed requests, register a webhook instead — those are HMAC-SHA256 signed both directions.
  • Audit logs surface in the dashboard for every key, with last-used timestamps and per-request IPs (masked).

On this page

Minting a keyRotating a keyRevokingError shapeSecurity checklist