Authentication
The Signet API uses API keys to authenticate requests. Every authenticated endpoint requires a valid key sent as a Bearer token in the Authorization header.
Getting an API key
To get an API key, submit an application at agentsignet.com/apply or via the API:
curl -X POST https://api.agentsignet.com/apply \
-H "Content-Type: application/json" \
-d '{
"name": "Your Name",
"email": "you@example.com",
"company": "Your Company",
"reason": "What you plan to build"
}'
Once your application is approved, you will receive an email containing your API key. The key is shown once in the approval email. Store it securely.
How API keys work
A Signet API key is a secret credential that identifies your operator account and grants access to protected endpoints. Each key is tied to a single operator and can be used across all agents registered under that account.
Include your key in every authenticated request:
curl https://api.agentsignet.com/score/SID-0x7a3f8b2c1d4e5f6a \
-H "Authorization: Bearer sk_signet_a1b2c3d4e5f6..."
Key format
Signet API keys follow a predictable format:
sk_signet_ + 64 hexadecimal characters
Example:
sk_signet_034e3a635343835fdbe51726c600e3f7602b453e4538e01cd22f172f6b1af962
The sk_signet_ prefix makes it easy to identify Signet keys in your codebase and secrets management tools. If you see a key with this prefix in a public repository, contact us immediately.
Security best practices
Follow these practices to keep your key secure:
- Never commit keys to version control. Use environment variables or a secrets manager.
- Never expose keys in client-side code. All Signet API calls should originate from your server.
- Monitor usage. Unusual spikes in API calls may indicate a leaked key.
Rate limits
Public endpoints (POST /apply, GET /score/:sid/public) are rate limited to 5 requests per hour per IP address. When you exceed the limit, the API returns a 429 Too Many Requests response.
Authenticated endpoints do not currently have per-key rate limits, but a global rate limiter protects the API from abuse. If you anticipate very high volume, contact us to discuss your usage patterns.
Public endpoints
Not all endpoints require authentication. The following are publicly accessible:
| Endpoint | Description |
|--------------------------|-------------------------------------|
| GET /score/:sid/public | Returns limited score data only |
| POST /apply | Submit an operator application |
| POST /register/self | Self-register an agent (no auth) |
Public endpoints return a subset of data and are intended for display contexts where full trust reports are not needed.
Authenticated endpoints
All other endpoints require a valid API key:
| Endpoint | Description |
|--------------------------------|------------------------------------------|
| POST /register | Register a new agent |
| GET /score/:sid | Full trust score with all dimensions |
| GET /report/:sid | Comprehensive trust report |
| POST /transactions | Report a transaction outcome |
| POST /agents/:sid/config | Update agent configuration |
| POST /agents/:sid/verify | Initiate identity verification |
| POST /agents/:sid/verify/confirm | Confirm verification challenge |
| GET /me | View your operator profile and agents |
Error responses
When authentication fails, the API returns one of these errors:
| Status | Response | Cause |
|--------|---------------------------------------------------|--------------------------------|
| 401 | {"error": "Missing or invalid Authorization header. Use: Bearer sk_signet_..."} | No header or wrong format |
| 401 | {"error": "Invalid API key format"} | Key does not start with sk_signet_ |
| 401 | {"error": "Invalid API key"} | Key not found in the database |