> ## Documentation Index
> Fetch the complete documentation index at: https://docs.signsealship.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate to the SignSealShip partner API

> Authenticate to the SignSealShip API with a partner bearer key, understand how keys are issued and rotated, and see every rate limit.

Every partner endpoint is authenticated with a bearer API key in the `Authorization` header. Public verification endpoints need no key at all — possession of the verify, room, or order code is the authorization.

## Partner API keys

Partner keys start with `sss_pk_` followed by 256 bits of random entropy in a lowercase base32 alphabet. The prefix makes a leaked key recognizable in logs and secret scanners.

Send the key on every partner request:

```bash Authenticated request theme={null}
curl https://signsealship.com/api/rooms \
  -H "Authorization: Bearer sss_pk_your_key"
```

A missing, malformed, revoked, or unknown key gets the same response:

```json 401 Unauthorized theme={null}
{ "error": "A valid partner API key is required." }
```

<Warning>
  Your key is shown to you exactly once, when it is issued. SignSealShip stores
  only its SHA-256 hash — a database compromise never yields a usable key, but
  it also means a lost key cannot be recovered, only replaced. Keep it in a
  secrets manager, never in client-side code or a repository.
</Warning>

## How keys are issued

<Steps>
  <Step title="Request access">
    Submit [`POST /api/partner/request`](/api-reference/partner-requests) (or the form at
    `https://signsealship.com/partner`) with your firm name, work email, and
    intended use case.
  </Step>

  <Step title="Screening">
    A business email domain plus a coherent, on-topic use case is issued a
    trial key instantly. Anything else is reviewed by a human — you get an
    email either way.
  </Step>

  <Step title="Receive your key by email">
    The raw key is emailed to the work email you submitted, once. Trial keys
    start on the trial tier (5 active rooms) and can be upgraded.
  </Step>
</Steps>

Keys can also be issued directly by SignSealShip for teams onboarding by hand.

## Key rotation

There is no self-serve key rotation endpoint today. To rotate a key — routinely, or because you suspect it leaked — contact SignSealShip and a replacement is issued and the old key deactivated. Until then:

* Treat the key like a password: server-side only, one secrets-manager entry, no copies in tickets or chat.
* If you suspect a leak, contact SignSealShip immediately; deactivation is immediate once actioned.
* Room links have their own self-serve rotation: [`POST /api/rooms/{roomCode}/rotate`](/api-reference/rooms#rotate-the-room-link) reissues a room's bearer code without touching your API key.

<Note>
  Webhook signing secrets follow the same one-time-display model as API keys:
  shown once at creation, stored only as a hash. To rotate one, create a new
  subscription and delete the old — see [webhooks](/api-reference/webhooks).
</Note>

## Rate limits

Requests over a limit are rejected with `429 Too Many Requests`. Back off and retry after the window resets (fixed one-minute windows unless noted).

| Policy            | Limit          | Keyed by          | Applies to                                                                        |
| ----------------- | -------------- | ----------------- | --------------------------------------------------------------------------------- |
| `partner-write`   | 60 per minute  | Partner key       | All Closing Room and Closing Passport partner routes                              |
| `public-read`     | 30 per minute  | IP                | Public room view and Closing Passport verification                                |
| `partner-request` | 5 per hour     | IP                | `POST /api/partner/request`                                                       |
| `public-write`    | 12 per minute  | IP                | `POST /api/passport/seal` and the public Proof Passport verify endpoints          |
| `partner-portal`  | 120 per minute | Dashboard session | Session-authenticated `/api/partner/...` dashboard routes, including webhook CRUD |

<Tip>
  The public room view aggregates live status across every attached order, so
  it carries a tighter per-IP budget than partner writes. Poll it no more than
  once every few seconds per room — the page SignSealShip ships refreshes every
  15 seconds.
</Tip>
