Authentication

All Skribble APIs use JWT bearer authentication. Obtain a token by logging in with your API credentials, then include it in the Authorization header of every request.

Getting Your Credentials

Before you can authenticate, you need:

API Username - Your unique identifier
API Key - Your secret key (never expose this publicly)

You can generate these credentials yourself in the Admin UI.

API Key Types

Key Type	Prefix	Purpose	Cost
Demo	`api_demo`	Testing and development	Free
Production	`api_production` / `api_prod`	Live transactions	Billable

warning

Demo API keys create signatures that have no legal weight. Switch to a production key when going live. All transactions made with production keys are billable.

Obtaining a Token

Make a POST request to the login endpoint:

curl -X POST "https://api.skribble.com/v2/access/login" \
  -H "Content-Type: application/json" \
  -d '{
    "username": "your-api-username",
    "api-key": "your-api-key"
  }'

Response (text/plain): the token is returned as a plain string, not wrapped in JSON:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

This is the same across all APIs (Sign API v2, v3, and Validation API).

Using the Token

Include the token in the Authorization header for all subsequent requests:

curl -X GET "https://api.skribble.com/v2/signature-requests" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Token Lifetime

Tokens are valid for approximately 20 minutes
After expiration, you must obtain a new token
There is no refresh token mechanism - simply re-authenticate

Best Practices

Token Management

Cache tokens - Reuse tokens until they expire to minimize login calls
Handle expiration gracefully - Implement automatic re-authentication when you receive a 401 error
Don't hardcode credentials - Use environment variables or a secrets manager

Security

Never expose API keys - Keep them server-side only
Use HTTPS - All API calls must use HTTPS
Rotate keys periodically - Contact Skribble to rotate compromised keys
Separate environments - Use demo keys for testing, production keys for live

Error Responses

Status Code	Description	Action
401	Invalid credentials or expired token	Check credentials or re-authenticate
403	Insufficient permissions	Verify API key has required access
429	Rate limit exceeded	Implement backoff and retry

Getting Your Credentials​

API Key Types​

Obtaining a Token​

Using the Token​

Token Lifetime​

Best Practices​

Token Management​

Security​

Error Responses​