Authentication
Store and send SignupScore API keys safely.
SignupScore uses API keys that start with ss_. You can create separate keys for production, staging, or different services, but they all use the same account balance.
Send a bearer token
Add the key to the Authorization header on every API request.
Authorization: Bearer ss_your_api_keyIf the key is missing, invalid, or revoked, the request returns 401.
Keep keys on the server
Store the key in your server's secret manager or environment configuration. Do not include it in browser code, mobile app bundles, logs, screenshots, or support messages.
For local development, a normal server-side environment variable is enough:
SIGNUPSCORE_API_KEY=ss_your_api_keyA typical signup request follows this path:
- Your signup form sends the email address to your server.
- Your server calls SignupScore and adds the API key.
- Your server uses the returned action to continue, review, or stop the signup.
The browser never needs to see the SignupScore key.
Rotate a key
- Create a new key in the dashboard.
- Update your secret in each environment.
- Confirm requests are using the new key.
- Revoke the old key.
This order avoids downtime. Do not revoke the old key until you have confirmed that the replacement is working.