Authorization header. Public verification endpoints need no key at all — possession of the verify, room, or order code is the authorization.
Partner API keys
Partner keys start withsss_pk_ followed by 256 bits of random entropy in a lowercase base32 alphabet. The prefix makes a leaked key recognizable in logs and secret scanners.
Send the key on every partner request:
Authenticated request
401 Unauthorized
How keys are issued
Request access
Submit
POST /api/partner/request (or the form at
https://signsealship.com/partner) with your firm name, work email, and
intended use case.Screening
A business email domain plus a coherent, on-topic use case is issued a
trial key instantly. Anything else is reviewed by a human — you get an
email either way.
Key rotation
There is no self-serve key rotation endpoint today. To rotate a key — routinely, or because you suspect it leaked — contact SignSealShip and a replacement is issued and the old key deactivated. Until then:- Treat the key like a password: server-side only, one secrets-manager entry, no copies in tickets or chat.
- If you suspect a leak, contact SignSealShip immediately; deactivation is immediate once actioned.
- Room links have their own self-serve rotation:
POST /api/rooms/{roomCode}/rotatereissues a room’s bearer code without touching your API key.
Webhook signing secrets follow the same one-time-display model as API keys:
shown once at creation, stored only as a hash. To rotate one, create a new
subscription and delete the old — see webhooks.
Rate limits
Requests over a limit are rejected with429 Too Many Requests. Back off and retry after the window resets (fixed one-minute windows unless noted).
| Policy | Limit | Keyed by | Applies to |
|---|---|---|---|
partner-write | 60 per minute | Partner key | All Closing Room and Closing Passport partner routes |
public-read | 30 per minute | IP | Public room view and Closing Passport verification |
partner-request | 5 per hour | IP | POST /api/partner/request |
public-write | 12 per minute | IP | POST /api/passport/seal and the public Proof Passport verify endpoints |
partner-portal | 120 per minute | Dashboard session | Session-authenticated /api/partner/... dashboard routes, including webhook CRUD |