This guide provides technical instructions for the generation, management, and rotation of API Secret Keys for programmatic integration with the IUSign Enterprise platform.
Prerequisites
- Active IUSign account on an eligible subscription tier (Standard+).
- Assigned Admin or Owner role.
- Note: API keys provide high-privilege access and must be managed with absolute security.
Strategic Overview
The IUSign API allows developers to automate complex document workflows, including mass envelope creation, real-time status tracking, and automated asset retrieval. To facilitate secure communication between your internal systems and the IUSign infrastructure, the platform utilizes API Secret Keys. These keys serve as the programmatic identity of your tenant, authorizing every request with the full permissions of the associated administrator account.
Implementation Sequence
1. Initializing the Developer Module
Navigate to the Developers section via the primary navigation sidebar. Select the API Keys module to access the credential management interface.
2. Generation of a New Secret Key
Select the Generate New Key action.
- Key Identification: Assign a descriptive label to the key (e.g., "CRM-Production-Integration" or "Staging-Testing") to facilitate future audit reviews.
- Initial Display: Upon generation, the Secret Key will be displayed in its entirety. This is the only time the full key will be visible.
[!CAUTION] You must copy and store the Secret Key immediately in an encrypted credential manager (e.g., HashiCorp Vault or AWS Secrets Manager). IUSign does not store a clear-text version of this key for retrieval.
3. Key Management and Governance
The dashboard provides a centralized view of all active keys:
- Key Masking: For security, only the last 4 characters of active keys are displayed.
- Usage Telemetry: Monitor the "Last Used" timestamp to identify inactive credentials.
- Deactivation (Revocation): If a key is compromised or no longer required, select Revoke to immediately invalidate the credential and block all associated API traffic.
Technical Specifications: API Authentication
| Parameter | Specification |
|---|---|
| Authentication Mode | Bearer Token (HTTP Header). |
| Header Key | Authorization: Bearer <YOUR_SECRET_KEY> |
| Encryption Standard | TLS 1.3 mandated for all API endpoints. |
| Token Type | Long-lived static key (Manual rotation required). |
Security Best Practices for Enterprise Developers
- Secret Rotation: Implement a scheduled rotation policy (e.g., every 90 days) for all production API keys to minimize the impact of potential credential leakage.
- Environment Isolation: Utilize distinct API keys for
Development,Staging, andProductionenvironments to prevent accidental data contamination. - IP Whitelisting (Enterprise): On eligible tiers, configure IP-based restrictions to ensure that API requests are only accepted from your verified corporate servers.
- No Hardcoding: Never commit API keys to version control systems (e.g., GitHub or GitLab). Utilize environment variables or secure secret injection.
Diagnostic and Resolution Protocols
| System Exception | Probable Cause | Resolution Protocol |
|---|---|---|
| 401 Unauthorized | Invalid/Revoked key | Verify the key is active in the dashboard and that the Authorization header is correctly formatted. |
| 403 Forbidden | Scope or Tier constraint | Ensure your subscription tier supports API access and that your user role has administrative permissions. |
| Key compromised | Potential leakage | Immediately Revoke the compromised key and generate a new credential for your integration. |