API Authentication

Learn how to authenticate your E-Sign API requests to Penvio.

API access requires a Business plan or higher.

Overview

The Penvio E-Sign API uses API key authentication. You’ll need to include your API key in the Authorization header of every request.

Obtaining an API Key

Go to penvio.io and sign in with your account.

Navigate to API Keys

Go to Organization Settings → API Keys.

Create a new key

Click Create API Key and enter a name for your key (e.g., “Production Backend”).

Copy the key

Copy the key immediately - it won’t be shown again.

🔒

Keep your API key secret!

Never commit it to version control
Never expose it in client-side code
Use environment variables to store it

API Key Format

API keys follow the format:


pk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

pk_ prefix identifies it as a Penvio API key
live_ indicates a production key (vs test_ for sandbox)
The remaining characters are a unique identifier

Using the API Key

Include your key in the Authorization header as a Bearer token:


Authorization: Bearer pk_live_xxxxxxxxxxxxx

Examples

cURL


curl -X GET https://penvio.io/api/v1/esign/templates \
  -H "Authorization: Bearer pk_live_xxxxxxxxxxxxx" \
  -H "Content-Type: application/json"

JavaScript


// Using fetch
const response = await fetch('https://penvio.io/api/v1/esign/templates', {
  headers: {
    'Authorization': `Bearer ${process.env.PENVIO_API_KEY}`,
    'Content-Type': 'application/json',
  },
});
 
const { data } = await response.json();
 
// Using axios
import axios from 'axios';
 
const client = axios.create({
  baseURL: 'https://penvio.io/api/v1',
  headers: {
    'Authorization': `Bearer ${process.env.PENVIO_API_KEY}`,
  },
});
 
const { data } = await client.get('/esign/templates');

Python


import os
import requests
 
API_KEY = os.environ['PENVIO_API_KEY']
BASE_URL = 'https://penvio.io/api/v1'
 
headers = {
    'Authorization': f'Bearer {API_KEY}',
    'Content-Type': 'application/json',
}
 
response = requests.get(f'{BASE_URL}/esign/templates', headers=headers)
data = response.json()

Go


package main
 
import (
    "net/http"
    "os"
)
 
func main() {
    client := &http.Client{}
    req, _ := http.NewRequest("GET", "https://penvio.io/api/v1/esign/templates", nil)
    req.Header.Set("Authorization", "Bearer "+os.Getenv("PENVIO_API_KEY"))
    req.Header.Set("Content-Type", "application/json")
 
    resp, _ := client.Do(req)
    defer resp.Body.Close()
}

API Key Management

Viewing Keys

View all API keys in Organization Settings → API Keys. You’ll see:

Key name
Creation date
Last used date
Key prefix (for identification)

Revoking Keys

To revoke a compromised or unused key:

Go to Organization Settings → API Keys
Click Revoke on the key
Confirm the action

Revoking a key immediately invalidates it. All applications using it will receive 401 Unauthorized responses.

Multiple Keys

Create separate keys for different environments and purposes:

Key Name	Environment	Purpose
`prod-backend`	Production	Main application
`staging-backend`	Staging	Testing
`ci-testing`	CI/CD	Automated tests

This way, if one key is compromised, you only need to revoke that specific key.

Error Responses

401 Unauthorized


{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or missing API key"
  }
}

This means:

No API key was provided
The API key is invalid or revoked
The Authorization header format is incorrect

403 Forbidden


{
  "error": {
    "code": "FORBIDDEN",
    "message": "Enterprise subscription required"
  }
}