Authentication
QSign uses two credentials, for two different purposes.
API keys — for the signing API
Section titled “API keys — for the signing API”Every call to the signing API is authenticated with an opaque API key in the
X-Api-Key header:
X-Api-Key: qsk_live_xxxxxxxxxxxxxxxxxxxx- Live keys (
qsk_live_…) run against production — they create real documents, send real emails, and consume your plan quota. - Sandbox keys (
qsk_test_…) run against a simulated environment — no real side effects, no quota use. Use these while developing. See Sandbox & testing.
Keys are shown once when generated and stored only as a SHA-256 hash, so a database compromise never yields a usable key. Generate, reveal-once, and rotate keys in the Developer portal.
JWT — for account management
Section titled “JWT — for account management”A few account-management actions (managing keys, reading your usage) are performed with the
api_admin user’s JWT (bearer token) rather than the API key. The Developer portal uses
this for you; you rarely need it directly.
Rate limits
Section titled “Rate limits”The API is rate-limited per caller. Responses include X-RateLimit-* headers; honor
Retry-After on a 429. Monthly quota is enforced per plan — check Usage in the
Developer portal or your plan’s limits.