Authentication & request signing

Every API request must include two headers:

• x-api-key: <prefix>.<secret> — the key minted for your partner. The prefix is shown in the API Keys tab; the secret is only shown once, on creation.
• x-signature: sha256=<hex> — an HMAC-SHA256 of the raw request body, using your key's secret as the HMAC key.

Computing the signature

# bash: sign the raw JSON body
SECRET="your_key_secret"
BODY='{"did":"did:fullness:abcd1234","consent_token":"ct_opaque"}'
SIG=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$SECRET" -binary | xxd -p -c 256)
echo "x-signature: sha256=$SIG"

The same signature scheme is used across all Tier-0 endpoints. Keep your secret server-side — never embed it in a browser or mobile client.