Scopes
Each API key is assigned one or more scopes that control which endpoints it can access.
Available scopes
| Scope | Grants access to |
|---|---|
envelopes:read | List envelopes, get envelope details, get status |
envelopes:write | Create envelopes, send for signing, void |
esign:write | Create signing sessions, mint sign embed tokens |
vault:read | Download vault documents, view certificates, mint vault embed tokens |
customers:read | List and view customer records |
compliance:read | View compliance evaluations and reports |
Scope to endpoint mapping
| Endpoint | Required scope |
|---|---|
GET /partner/envelopes | envelopes:read |
GET /partner/envelopes/:id | envelopes:read |
GET /partner/envelopes/:id/status | envelopes:read |
GET /partner/envelopes/:id/signing-links | envelopes:read |
POST /partner/envelopes | envelopes:write |
POST /embed/token (sign) | esign:write |
POST /embed/token (vault) | vault:read |
GET /partner/envelopes/:id/vault/signed-url | vault:read |
GET /partner/envelopes/:id/vault/copy/signed-url | vault:read |
GET /partner/envelopes/:id/vault/certificate | compliance:read |
GET /partner/envelopes/:id/compliance | compliance:read |
Recommended scope sets
Read-only integration
["envelopes:read", "vault:read", "compliance:read"]
Good for: dashboards, reporting, document viewing.
Full signing integration
["envelopes:read", "envelopes:write", "esign:write", "vault:read"]
Good for: end-to-end signing workflows with embedded widgets.
Complete access
["envelopes:read", "envelopes:write", "esign:write", "vault:read", "customers:read", "compliance:read"]
Good for: deep integrations that manage the full lifecycle.
Error response
If a request requires a scope the key doesn't have:
// 403 Forbidden
{
"error": "Missing required scope: vault:read"
}