Signchain Docs

Home>API Reference>Authentication

Authentication

To ensure the security and integrity of requests to your Signchain Vault, each API request must be authenticated. This is achieved using API keys, and for certain sensitive operations, additional cryptographic signatures are required. This page outlines the authentication methods used in Signchain, with details on configuration and best practices.

API Key Authentication

Each account in Signchain has a unique API key, which must be included in every request made to the API. This key can be obtained from your account’s Signchain Dashboard and should be kept secure, as it provides access to the vault.

To include your API key in a request, use the Authorization header. Here’s an example of adding the API key to a curl request:

curl -H "Authorization: Bearer <Your-API-Key>" https://signchain.net/api/v1/...

Replace your_api_key with the key from your dashboard.

Vault Communication Security: X-Vault-Signature

For communication between Signchain and your self-hosted vault, an additional layer of security is applied using the X-Vault-Signature header. This signature, generated using your vault’s configured VAULT_KEY, verifies the identity of requests and protects against tampering.

Your self-hosted vault will reject any requests lacking a valid X-Vault-Signature header, making it crucial for secure vault operation.

Transaction Protection: X-Vault-Auth-Signature

To secure transactions involving sensitive key data, such as signing or sending transactions, the X-Vault-Auth-Signature header is used. This signature is generated using a shared secret (VAULT_AUTH_SECRET_KEY), known only to your backend and the vault. It includes a nonce and expiration to prevent replay attacks.

For detailed implementation, please see our Security Best Practices section.

Sample Header Configuration

Each API request should include these headers, where applicable:

  • Authorization: Your API key for basic authentication.
  • X-Vault-Auth-Signature: For securing sensitive operations with transaction signing with a self-hosted Vault. This isn't used on all requests to the API. The client libraries assist with generating this signature for you based on a configured shared secret, shared between your backend and your self-hosted Vault instance.

Following these authentication steps will help you maintain a secure and reliable connection with your Signchain Vault. For further details, visit API Key Authentication and Access Control.