Every request to the Signa API needs a Bearer token in the Authorization header.
Authorization: Bearer sig_YOUR_KEY
Getting your API key
Sign up at app.signa.so and navigate to API Keys in the sidebar. Click + Create new key, give it a name, and copy the full key immediately: it is only shown once.
Manage all your keys (create, rotate, revoke) from the API Keys dashboard.
API keys use the format sig_ followed by 48 hex characters. Unrecognized prefixes are rejected with 401 before any lookup.
Scopes
Each API key has one or more scopes that control what it can access:
| Scope | Grants access to |
|---|
trademarks:read | Trademark records, owners, attorneys, firms, proceedings: all public catalog data |
events:read | Event feed (/v1/events). Plan-gated. |
portfolios:manage | Customer-owned resources: portfolios, saved searches, watches, alerts, webhooks |
api-keys:manage | API key creation, rotation, update, and revocation |
organization:manage | Organization settings (e.g. renaming the organization) |
billing:read | Usage, plan, and log endpoints |
Key rotation
Rotate a key when you suspect it has been compromised, when a team member leaves, or as part of regular security hygiene. Rotate from the API Keys dashboard (open the … menu on a key and select Rotate key) or programmatically via the Rotate API Key endpoint. Rotation issues a new key; the old key keeps working for a 24-hour grace period so you can roll the new secret out to your services without downtime.
API keys are for server-to-server use only. Never ship a sig_ key in client-side code (browser JavaScript, mobile apps, or anything a user can inspect); call the Signa API from your backend and proxy requests to any frontend that needs the data.