Skip to content
sigil

Authentication

Wallet lane (the iframe)

Every request under /v1/wallets/... carries two pieces of auth:

HeaderValue
X-Sigil-Publishable-KeyThe org’s pk_live_…
AuthorizationBearer <jwt> — the end-user token

The publishable key identifies the org. The JWT is either:

  • Sigil mode: minted by POST /v1/wallets/auth/email-otp/verify after the user completes the email OTP. HS256 with our internal secret.
  • OIDC mode: minted by your own provider; we validate against your JWKS via the autodiscovery URL configured per-org.

Two endpoints are gated by publishable key only because they exist to mint the JWT in the first place:

  • POST /v1/wallets/auth/email-otp/start
  • POST /v1/wallets/auth/email-otp/verify

Everything else under /v1/wallets/... requires both headers.

Server-to-server lane

GET /v1/s2s/wallets HTTP/1.1
Host: api.sigilkeys.com
Authorization: Bearer sk_live_xxx

Secret keys are revocable from the portal API keys tab. Rotate them the moment you suspect leakage.

CORS

The API is open to the Allowed origins you declare for your company in the portal, plus the fixed Sigil iframe origin (https://wallet.sigilkeys.com). Browsers from any other origin get blocked client-side. Server-to-server calls aren’t subject to CORS.