API Authentication & JWT Tokens
The Firma API uses two authentication methods: API key authentication for server-to-server requests, and JWT tokens for embedding the template and signing request editors in your application.API Key Authentication
All API endpoints require authentication using an API key in theAuthorization header.
How it Works
Your API key authenticates your requests and determines which workspace resources you can access. Each workspace has its own unique API key that you can retrieve via the Get Workspace endpoint. Protected Workspace: Every company account has one protected workspace that cannot be deleted. This protected workspace holds the main API key for your account, which has access to all workspace, API key, company/account, and webhook endpoints. Use this key for account-wide operations or when you need to manage multiple workspaces.Test Mode (Live vs Test Keys)
Each workspace has two API keys: a live key and a test key. Test mode is determined by which key you send — there is no separate flag or parameter.- Requests authenticated with the test key do not consume credits, and any signing requests they create are flagged as test and watermarked.
- Requests authenticated with the live key run normally and consume credits.
api_key = live, test_api_key = test) and by the Get Workspace and List Workspaces endpoints. Use the test key while integrating, then switch to the live key for production.
You can rotate each key type independently: pass key_type ("live" or "test", default "live") to the regenerate and expire endpoints. Rotating one type does not affect the other.
Test keys are full credentials with the same access scope as live keys — keep them server-side and never expose them in client code. The only difference is billing and watermarking behavior.
API Key Rotation
You can regenerate API keys for non-protected workspaces to enhance security. When you regenerate a key:- A new API key is created immediately and returned in the response
- Old keys are set to expire in 24 hours - they continue working during this grace period
- You can manually expire old keys early once you’ve verified the new key works
Protected workspace keys cannot be regenerated via the API. This prevents accidental lockouts from your account. Contact support if you need to rotate your protected workspace key.
Regenerate API Key
Generate a new API key for a workspace. The old key will automatically expire after 24 hours:Expire Old Keys Early
After verifying your new key works, you can immediately expire all pending keys:- Call the regenerate endpoint to get a new key
- Update your application configuration with the new key
- Test that the new key works correctly
- Call the expire endpoint to immediately invalidate old keys
- Monitor for any errors indicating services still using the old key
Header Format
The API key can be sent in two ways:- Direct format (recommended for simplicity):
- Bearer token format (optional):
Code Examples
Error Response
If your API key is missing or invalid, you’ll receive a401 Unauthorized response:
JWT Tokens for Embedded Features
JWT (JSON Web Token) tokens enable you to embed Firma’s template editor and signing request editor directly in your application. These tokens are RSA-256 signed and time-limited for security.When to Use JWT Tokens
Use JWT tokens when you want to:- Embed the template editor in your application for users to create/edit document templates
- Embed the signing request editor for users to customize documents before sending
- Provide secure, time-limited access to specific templates or signing requests
- Control which resources users can access without exposing your API key
JWT tokens should always be generated from your secure backend, never from frontend code. Your backend uses the API key to generate tokens, which are then passed to the frontend for editor initialization.
JWT Token Types
Authentication Flow
Here’s how JWT authentication works for embedded features:Implementation Guide
Step 1: Generate JWT Token (Backend)
Generate a JWT token from your secure backend using your API key:Step 2: Initialize Editor (Frontend)
Use the JWT token to initialize the embedded editor in your frontend:Step 3: Revoke JWT Token (Optional)
Revoke a JWT token when it’s no longer needed:JWT Security Best Practices
Related Guides
Learn more about implementing embedded features and working with the API:- Embeddable Template Editor - Complete guide to embedding the template editor
- Embeddable Signing Request Editor - Embed signing request customization
- Sending Signing Requests - Send documents for signature
- Webhooks - Subscribe to real-time events
API Reference
Key authentication and JWT management endpoints: API Key Management:- Get Workspace - Retrieve workspace API key
- Regenerate Workspace API Key - Generate new API key
- Expire Pending API Keys - Immediately expire old keys
- Generate JWT Token for Embedding Templates
- Generate JWT Token for Signing Request
- Revoke Template JWT Token
- Revoke Signing Request JWT Token