Authentication

Every API request must be authenticated with one of the two supported protocols:

Private API Token

This secure, credential-based protocol is designed to support authentication against the single RightSignature User account that owns the API Key. We recommend authenticating requests with your Private API Token when testing, or when building integrations that only require your application to send documents and retrieve data on behalf of your own User account.

  1. Log into your RightSignature account to request an API key and manage your API credentials.
  2. Once you have an approved API key, use the Private API Token, along with the Client ID and Client Secret, to sign your API requests.

Oauth 2.0

OAuth 2.0 is a token-based protocol designed to support authentication against third-party accounts. Use the OAuth protocol to send documents and retrieve data on behalf of any third-party RightSignature User.

  1. Log into your RightSignature account to request an API key and manage your API credentials.
  2. Once you have an approved API key, use the Client ID and Client Secret to request an OAuth authorization code grant type at GET /oauth/authorize.
  3. Direct the end user (owner of the RightSignature User account) to the authorization URL. The User will first be prompted to log into RightSignature where the User will confirm or deny access to the account.
  4. After access is granted, RightSignature will redirect the User to the configured redirect_uri with an authorization_code parameter.
  5. Exchange the authorization_code for an OAuth Access Token at POST /oauth/token.
  6. Use the Access Token, along with the Client ID and Client Secret, to sign your requests on behalf of the User. Access Tokens expire after 2 hours but can be refreshed using the provided Refresh Token (no additional User consent is required).