Appearance
Authentication & attribution
Upsign API v2 secures every request with your company API key. For requests that create or change data, partner attribution headers identify your end user so actions can be audited and supported consistently. This page describes required headers, how company-scoped keys relate to admins and end users, and browser considerations when trying endpoints from this site.
X-Api-Key (required)
Every request under /v2/* must include header X-Api-Key set to your valid company API key. If the key is missing or invalid, the API responds with 401 and body:
json
{ "error": "Invalid or missing API key." }Acting user
API keys are company-scoped. A company admin creates or rotates the API key in Upsign; you then use that same key in your application to call the API for the entire company.
Pair the key with partner attribution headers (especially X-Partner-User-Id) on mutating requests so each call is tied to the right end user. That way one integration can create documents and run workflows for any user in the company while keeping activity attributable per user.
Partner attribution (mutations)
For POST, PUT, PATCH, and DELETE:
| Header | Required | Purpose |
|---|---|---|
X-Partner-User-Id | Yes | Identify the partner’s end-user for auditing and support. Missing → 400 {"error":"X-Partner-User-Id header required for mutating requests."} |
X-Partner-User-Email | No | Optional partner user email |
X-Partner-Request-Id | No | Correlation / idempotency hint; auto-generated if omitted |
GET requests do not require X-Partner-User-Id.
These headers travel with the request for auditing, support, and correlation.
Browser “Try it”
Calling the API from this documentation site requires CORS on the API. The server allowlists developer origins and exposes the headers above for preflight.