Authentication

Store and send SignupScore API keys safely.

SignupScore uses API keys that start with ss_. You can create separate keys for production, staging, or different services, but they all use the same account balance.

Send a bearer token

Add the key to the Authorization header on every API request.

Authorization header
Authorization: Bearer ss_your_api_key

If the key is missing, invalid, or revoked, the request returns 401.

Keep keys on the server

Store the key in your server's secret manager or environment configuration. Do not include it in browser code, mobile app bundles, logs, screenshots, or support messages.

For local development, a normal server-side environment variable is enough:

.env.local
SIGNUPSCORE_API_KEY=ss_your_api_key

A typical signup request follows this path:

  1. Your signup form sends the email address to your server.
  2. Your server calls SignupScore and adds the API key.
  3. Your server uses the returned action to continue, review, or stop the signup.

The browser never needs to see the SignupScore key.

Rotate a key

  1. Create a new key in the dashboard.
  2. Update your secret in each environment.
  3. Confirm requests are using the new key.
  4. Revoke the old key.

This order avoids downtime. Do not revoke the old key until you have confirmed that the replacement is working.