Authentication¶
Overview¶
The LexgoSign API uses API keys for authentication. All API requests must include a valid API key in the Authorization header.
Security
Keep your API keys secure and never share them publicly. All requests must be made over HTTPS.
Getting Your API Key¶
- Log in to your Lexgo account at https://app.lexgo.cl
- Navigate to Settings → API Keys
- Click Generate New API Key
- Copy and securely store your API key
Important
API keys are only shown once. If you lose your key, you'll need to generate a new one.
Authentication Header¶
Include your API key in the Authorization header of every request:
Example Requests¶
Testing Your Setup¶
After getting your API key, test it with the test endpoint:
Endpoint: POST /api/v1/test
import requests
response = requests.post(
'https://api.lexgo.cl/api/v1/test',
headers={'Authorization': 'your_api_key_here'},
data={'test_param': 'Sample value 123'}
)
print(response.json())
# Output: {
# "enterprise_name": "Your Company",
# "environment": "sandbox",
# "test_param": "Sample value 123"
# }
const fetch = require('node-fetch');
const FormData = require('form-data');
const form = new FormData();
form.append('test_param', 'Sample value 123');
fetch('https://api.lexgo.cl/api/v1/test', {
method: 'POST',
headers: { 'Authorization': 'your_api_key_here' },
body: form
})
.then(res => res.json())
.then(data => console.log(data));
Response:
{
"enterprise_name": "Your Company Name",
"environment": "sandbox",
"test_param": "Sample value 123"
}
Response Fields:
- enterprise_name: Your company/account name
- environment: Either sandbox or live
- test_param: Echoes back any parameter you sent (optional)
Quick Validation
Use this endpoint to verify your API key works before integrating other endpoints.
Authentication Errors¶
Invalid API Key¶
Status Code: 401 Unauthorized
Causes: - API key doesn't exist - API key has been deleted - Typo in the Authorization header
Missing Authorization Header¶
Status Code: 401 Unauthorized
Causes:
- Authorization header not included in request
- Header name misspelled
Deactivated API Key¶
Status Code: 401 Unauthorized
Causes: - API key has been deactivated in settings - Enterprise account is suspended
API Key Management¶
Multiple Keys¶
You can create multiple API keys for different purposes:
- Sandbox: Test integration without legal validity (documents are watermarked)
- Live: Production use with legally binding signatures
- Per-Application: Create separate keys for different applications or integrations
Key Rotation¶
Regularly rotate your API keys for security:
- Generate a new API key
- Update your application to use the new key
- Verify the new key works correctly
- Deactivate the old key
Best Practice
Rotate API keys every 90 days and immediately if compromised.
Revoking Keys¶
To revoke an API key:
- Go to Settings → API Keys
- Find the key you want to revoke
- Click Deactivate
Immediate Effect
Deactivating a key takes effect immediately. All requests using that key will fail.
Security Best Practices¶
Store Securely¶
- Use environment variables: Never hardcode API keys
- Encrypt at rest: Store keys encrypted in databases
- Restrict access: Limit who can view API keys
Network Security¶
- HTTPS only: All requests must use HTTPS
- IP whitelisting: Restrict API access to known IP addresses
- Rate limiting: Implement client-side rate limiting
Monitoring¶
- Log requests: Track API usage for anomaly detection
- Alert on errors: Monitor 401 errors for potential security issues
- Audit access: Review API key usage regularly
Example: Storing API Keys¶
Environment Variables¶
Next Steps¶
- Quick Start Guide - Create your first envelope
- API Overview - Explore available endpoints
- Error Codes - Handle errors gracefully