Authenticate with the API
GraphQL supports two authentication modes:
| Mode | Coverage | Header | Best for |
|---|---|---|---|
| SRP | Full GraphQL schema | Authorization: Bearer <access-token> | Complete integrations |
| API Key | Supported subset only | Authorization: Bearer <api-key> | Server-side automation and common send/read flows |
SRP is the full-schema authentication method. API keys created in the Developer Portal can access a supported subset of GraphQL operations.
API Key Authentication
Create a GraphQL-enabled API key in the Developer Portal, then send it as a bearer token:
POST /graphql HTTP/1.1
Host: graphql.uk.legalesign.com
Content-Type: application/json
Authorization: Bearer ak_<environment>_<key-id>.<secret>
{"query": "{ user { id email } }"}
Check the API-key GraphQL reference and the auth badges on query and mutation reference pages before using an operation with an API key.
Widget and Component Authorization
Authenticated widgets, such as the Document Viewer and Signer, need a token passed to their token attribute.
There are two supported server-side ways to provide that token:
| Token source | How it works |
|---|---|
| SRP JWT | Your server uses SRP to obtain a JWT access token and passes that JWT to the widget |
| Component token | Your server uses an API key to call generateComponentToken, then passes the returned token to the widget |
generateComponentToken is API-key-only and returns a short-lived token for widgets. SRP remains the full-schema option when your backend should provide a JWT directly.
See Widget Authorization for the complete component token flow and browser security guidance.
SRP Authentication
Use SRP when you need full GraphQL schema access.
API Credentials
To use SRP authentication, contact Legalesign support to obtain the credentials and details for your integration.