Signatu is built using security best practices such as the principle of least privilege. So you can assume that your account and data in Signatu is safe as long as you do your part.


Make sure you have secure password, and try not to re-use passwords from other sites. We strongly suggest using a password manager such as Dashlane and 1password.

OAuth tokens

You can generate OAuth tokens either in your Signatu account or using client application credentials. Make sure you restrict these tokens to the specific scope they are for, e.g., consent or dataprocessing. Note that while these tokens will give the bearer limited access right for the given scope(s), they do access your account, and should be kept secret.


If you want your website to use the Signatu Consent API directly you need to provide the web browser with a valid OAuth token. This token will be readable by your users, and hence cannot be considered secret anymore. Anyone with this token can POST new consent events and query the API.

Content Security Policy

If you are using Content Security Policy (CSP) on your site you need to include signatu.com in connect-src. If you embed a Signatu Policy button, you also need to include cdn.signatu.com in your frame-src.

Proxying requests

API Proxy example

You can receive consent events to your service. Your service will have OAuth client credentials, and can forward events to the Signatu API. You need a way to authenticate your applications to the Consent Proxy, otherwise there is no additional security for this model.

The Signatu SDK contains an example Express proxy