Skip to main content

API Authentication & JWT Tokens

The Firma API uses two authentication methods: API key authentication for server-to-server requests, and JWT tokens for embedding the template and signing request editors in your application.

API Key Authentication

All API endpoints require authentication using an API key in the Authorization header.

How it Works

Your API key authenticates your requests and determines which workspace resources you can access. Each workspace has its own unique API key that you can retrieve via the Get Workspace endpoint. Protected Workspace: Every company account has one protected workspace that cannot be deleted. This protected workspace holds the main API key for your account, which has access to all workspace, API key, company/account, and webhook endpoints. Use this key for account-wide operations or when you need to manage multiple workspaces.

Test Mode (Live vs Test Keys)

Each workspace has two API keys: a live key and a test key. Test mode is determined by which key you send — there is no separate flag or parameter.
  • Requests authenticated with the test key do not consume credits, and any signing requests they create are flagged as test and watermarked.
  • Requests authenticated with the live key run normally and consume credits.
Both keys are returned when you create a workspace (api_key = live, test_api_key = test) and by the Get Workspace and List Workspaces endpoints. Use the test key while integrating, then switch to the live key for production. You can rotate each key type independently: pass key_type ("live" or "test", default "live") to the regenerate and expire endpoints. Rotating one type does not affect the other.
Test keys are full credentials with the same access scope as live keys — keep them server-side and never expose them in client code. The only difference is billing and watermarking behavior.

API Key Rotation

You can regenerate API keys for non-protected workspaces to enhance security. When you regenerate a key:
  1. A new API key is created immediately and returned in the response
  2. Old keys are set to expire in 24 hours - they continue working during this grace period
  3. You can manually expire old keys early once you’ve verified the new key works
Protected workspace keys cannot be regenerated via the API. This prevents accidental lockouts from your account. Contact support if you need to rotate your protected workspace key.

Regenerate API Key

Generate a new API key for a workspace. The old key will automatically expire after 24 hours:
Response:

Expire Old Keys Early

After verifying your new key works, you can immediately expire all pending keys:
Response:
Best Practice for Key Rotation:
  1. Call the regenerate endpoint to get a new key
  2. Update your application configuration with the new key
  3. Test that the new key works correctly
  4. Call the expire endpoint to immediately invalidate old keys
  5. Monitor for any errors indicating services still using the old key
Never expose your API key in frontend code or client-side applications. API keys should only be used in secure backend services. Always store them as environment variables.

Header Format

The API key can be sent in two ways:
  1. Direct format (recommended for simplicity):
  1. Bearer token format (optional):
Both formats are accepted. The Bearer prefix is optional but not required.

Code Examples

Error Response

If your API key is missing or invalid, you’ll receive a 401 Unauthorized response:

JWT Tokens for Embedded Features

JWT (JSON Web Token) tokens enable you to embed Firma’s template editor and signing request editor directly in your application. These tokens are RSA-256 signed and time-limited for security.

When to Use JWT Tokens

Use JWT tokens when you want to:
  • Embed the template editor in your application for users to create/edit document templates
  • Embed the signing request editor for users to customize documents before sending
  • Provide secure, time-limited access to specific templates or signing requests
  • Control which resources users can access without exposing your API key
JWT tokens should always be generated from your secure backend, never from frontend code. Your backend uses the API key to generate tokens, which are then passed to the frontend for editor initialization.

JWT Token Types

Authentication Flow

Here’s how JWT authentication works for embedded features:

Implementation Guide

Step 1: Generate JWT Token (Backend)

Generate a JWT token from your secure backend using your API key:
Response:

Step 2: Initialize Editor (Frontend)

Use the JWT token to initialize the embedded editor in your frontend:
For signing request editor, use the signing request JWT endpoint and the signing request editor library:

Step 3: Revoke JWT Token (Optional)

Revoke a JWT token when it’s no longer needed:

JWT Security Best Practices

Security Checklist:
  1. Always generate JWTs from your backend - Never expose your API key in frontend code
  2. Use environment variables - Store API keys securely, never hardcode them
  3. Validate token expiration - Check expires_at and refresh tokens as needed
  4. Use HTTPS only - Never transmit tokens over unencrypted connections
  5. Revoke unused tokens - Revoke JWTs when editing is complete or the session ends
  6. Implement token refresh - Request new tokens before expiration for ongoing sessions
  7. Scope tokens appropriately - Each JWT is tied to a specific template or signing request


Learn more about implementing embedded features and working with the API:

API Reference

Key authentication and JWT management endpoints: API Key Management: JWT Token Management: Getting Started: