Using the API

Signatu APIs are Open API compatible REST APIs.

API requests are authorized by OAuth 2.0 tokens. You can manage your API credentials in your Signatu account.

The APIs are specified in OpenAPI version 3. See OpenAPI development tools for additional information.

Authorizing with OAuth

All API requests must authorized with a valid API Key and a valid OAuth2 Bearer token.

Both your API Key and OAuth2 tokens are created user your account at https://signatu.com or using standard OAuth2 flows (see OAuth).

If you need help creating an access token please contact support@signatu.com.


Access tokens must be granted access to scope consent.

x-api-key HTTP header

Only requests to the v0 version of the Consent API require the x-api-key header. The API Key is used to identify your account and associated account limits. For the Data Processing and Webhook APIs the x-api-key header is not required as Signatu will find the account from the Authorization token.

Note that while x-api-key is not used to authorize access to the API (see Authorization below) you should not distribute your API Key.

Authorization HTTP header

You can authorize HTTP requests using the Authorization http header. The API expects a Bearer token, meaning that any client presenting the token is treated as authorized. You can create tokens in your Signatu account, or use standard OAuth2 Client Credentials Grant flow (see RFC 6749).

The Authorization HTTP header is set. The token is a Bearer token, meaning any client with the token available can access the Policies associated with the user account. The token should hence be kept secret.

Example request

$ curl https://api.signatu.com/consent/v0/consents \
-H 'Authorization: Bearer dqwoiuoi98324IUIUWECVOH' \
-H 'x-api-key: 12908347192749238798'
* Connected to localhost (api.signatu.com) (#0)
> GET /consent/api/v0/... HTTP/1.1
> Host: signatu.com
> x-api-key: 12908347192749238798
> Authorization: Bearer dqwoiuoi98324IUIUWECVOH

URI Formats

URI references are all URIs on the format scheme://. scheme is according to the IANA specification.

Query parameters are URI encoded. In Javascript, use encodeURIComponent(). For example, https://foo.com is encoded https%3A%2F%2Ffoo.com.


Signatu also uses a URN (RFC-1737) prefix urn:signatu: to refer to resources. For HTML resources, such as Privacy Policies, these URN references are set on HTML elements using the data-ref attribute.