Authentication

Every SignCare API call is authenticated with two headers — X-API-KEY and X-API-APP-ID.

Header-based authentication

SignCare uses a simple two-header scheme for all authenticated endpoints:

Header	Required	Purpose
`X-API-KEY`	Yes	Your secret key — treat like a password
`X-API-APP-ID`	Yes	Your application identifier

Both headers must be sent on every request (except the /api/ping health endpoint).

Example

curl -X POST https://ext.signcare.io/api/v1/pan/verify \
  -H "X-API-KEY: sk_live_abc123..." \
  -H "X-API-APP-ID: app_xyz789" \
  -H "Content-Type: application/json" \
  -d '{ "pan": "ABCDE1234F", "consent": "Y", "consent_text": "..." }'

What happens if headers are missing

If either header is missing or empty, you'll receive a 401 Unauthorized:

{
  "success": false,
  "error": "Unauthorized",
  "message": "Missing or invalid X-API-KEY header."
}

Getting your credentials

API keys are issued by SignCare per client. Contact your account manager or support@signcare.io to:

Request initial credentials
Create additional keys for staging vs production apps
Rotate a compromised key
Deactivate a key

Key security best practices

Never commit your API key to source control, log it, or embed it in client-side code (web pages, mobile apps). Treat it like a database password.

Recommended practices:

Server-side only. Call SignCare from your backend, never from a browser or mobile app directly.
Environment variables. Store keys in .env files (excluded from git) or a secrets manager (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault).
Separate keys per environment. Ask for a separate key for development vs production if you prefer full isolation (though the same key works in both by default).
Rotate on suspicion. If you believe a key is compromised, contact us immediately for a fresh key. The old key is revoked.

Key rotation

To rotate a key without downtime:

Request a new key from SignCare — you'll temporarily have two valid keys.
Deploy the new key to your application.
Confirm all traffic is flowing on the new key.
Ask SignCare to revoke the old key.

Most SignCare endpoints that retrieve personal data from government or financial databases require an explicit consent field in the request body. This is a legal requirement under Indian IT and privacy regulations.

The standard consent pattern:

{
  "consent": "Y",
  "consent_text": "I hear by declare my consent agreement for fetching my information via SignCare API"
}

Your end-user must provide this consent (via your UI) before you call the API. Storing a record of the consent event (user ID, timestamp, IP) on your side is recommended.

Outbound IP allowlisting (optional)

If your security policy requires outbound traffic from your servers to be restricted, add these domains to your allowlist:

Hostname	Purpose
`ext.signcare.io`	Production API
`uat-ext.signcare.io`	Stage/UAT API

If you need stable source IPs for inbound webhook traffic (SignCare → you), see Webhooks — Source IPs.

On this page