Authentication

The Signet API uses API keys to authenticate requests. Every authenticated endpoint requires a valid key sent as a Bearer token in the Authorization header.

How API keys work

What is a Signet API key? A Signet API key is a secret credential that identifies your account and grants access to protected endpoints. Each key is tied to a single operator account and can be used across all agents registered under that account.

Include your key in every request:

curl https://api.agentsignet.com/score/SID-0x7a3f...e91d \
  -H "Authorization: Bearer sk_signet_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4"

Key format

Signet API keys follow a predictable format for easy identification:

sk_signet_ + 32 hexadecimal characters

Example:

sk_signet_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4

The sk_signet_ prefix makes it easy to identify Signet keys in your codebase and secrets management tools. If you see a key with this prefix in a public repository, rotate it immediately.

Security best practices

How should I store my API key? Follow these practices to keep your key secure:

  • Never commit keys to version control. Use environment variables or a secrets manager.
  • Never expose keys in client-side code. All Signet API calls should originate from your server.
  • Use separate keys for development and production. This limits blast radius if a key is compromised.
  • Monitor usage. Unusual spikes in API calls may indicate a leaked key.

Key rotation

How do I rotate my API key? Key rotation lets you replace an active key with a new one without downtime.

  1. Request a new key from the Signet dashboard (or via the management API when available).
  2. The old key remains valid for a 24-hour grace period after the new key is issued.
  3. Update your application to use the new key.
  4. After the grace period, the old key is automatically revoked.

During the grace period, both the old and new keys are valid. This gives you time to deploy the new key across all services without interrupting traffic.

Rate limits

What are the Signet API rate limits? Rate limits protect the API from abuse and ensure consistent performance for all users.

| Tier | Requests per minute | Requests per day | |------------|--------------------:|-----------------:| | Free | 60 | 5,000 | | Growth | 300 | 50,000 | | Enterprise | 1,000 | 500,000 |

When you exceed a rate limit, the API returns a 429 Too Many Requests response with the following headers:

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1718450400
  • X-RateLimit-Limit: Your plan's per-minute limit.
  • X-RateLimit-Remaining: Requests remaining in the current window.
  • X-RateLimit-Reset: Unix timestamp when the window resets.

Unauthenticated endpoints

Not all endpoints require authentication. The following are publicly accessible:

| Endpoint | Auth required | Notes | |------------------------|---------------|------------------------------------| | GET /score/:sid/public | No | Returns limited score data only | | POST /waitlist | No | Rate limited to 5 requests/minute |

Public endpoints return a subset of data and are intended for display contexts where full trust reports are not needed.

Error responses

When authentication fails, the API returns one of these errors:

| Status | Error code | Description | |--------|---------------------|------------------------------------| | 401 | missing_api_key | No Authorization header provided | | 401 | invalid_api_key | Key format is invalid or not found | | 401 | revoked_api_key | Key has been rotated and expired | | 403 | insufficient_scope| Key does not have required permissions |

Know which agents to trust.

Apply for access to Signet scores, reports, and the API.

Apply for Access