Guides
Guides
Start typing to search…

Authentication

Overview

All API requests (except webhook delivery requests) require an access_token.

Access tokens are generated per user and provide secure, server-side authorisation to access and manage that user’s documents.

You may watch this video for a guide on how to generate access_tokens or review the Retrieve API Credentials section.

Note: The current access token method is temporary and will later be replaced by OAuth. This simplified method is currently used to ease integration and migration.

Create Access Token

NB: This is intended to be used on server side only.

client_secret should never be shared.

Generates an access token using:

  • Your account’s api_key
  • Your application's client_id
  • Your application's client_secret

Endpoint

POST /v1/access_tokens

Request Headers

Content-Type: application/json
Cache-Control: no-cache

Request Body Example

{
  "client_id": "<client_id>",
  "client_secret": "<client_secret>",
  "api_key": "<api_key>"
}

Response Example

{
  "data": {
    "access_token": "<access_token_value>"
  },
  "status": {
    "status_code": 200
  }
}

Example cURL

curl -X POST https://sandboxapi.quicklysign.com/v1/access_tokens \
  -H "Content-Type: application/json" \
  -H "Cache-Control: no-cache" \
  -d '{
    "client_id": "<client_id>",
    "client_secret": "<client_secret>",
    "api_key": "<api_key>"
  }'

Using the Access Token

Include the generated access_token in the headers of all subsequent API requests:

access_token: <your_access_token>

Important Notes

  • API keys are user-specific. To perform actions on behalf of a user, you must use their access token.

  • client_id, client_secret, and api_key must be stored securely on your server. These credentials must never be exposed in frontend applications.

  • API credentials are environment-specific. Keys generated in one environment cannot be used in another.

Access Token Expiration

When creating an application, the default expiration time for generated access tokens is 24 hours.

This value can be configured in the application settings within the UI:

  • If set above 0 - Access tokens expire after that number of hours.
  • If set to 0 - Access tokens will not expire.

We strongly recommend not setting expiration to 0 in production environments.

If an access token expires, generate a new one using valid credentials.

Application Deletion & Credential Invalidation

If an application is deleted:

  • The associated client_id becomes invalid.
  • The associated client_secret becomes invalid.
  • All access_tokens generated from that application immediately become invalid.

Requests made using credentials from a deleted application will fail.

Environments

API credentials are environment-specific and are not interchangeable.

For example:

  • Sandbox credentials cannot be used in Production.
  • Production credentials cannot be used in Sandbox.

Always ensure:

  • The base URL matches the environment your credentials belong to.
  • The client_id and client_secret were generated in that same environment.

Refer to the Environments section for the full list of available sites and base URLs.

Invalid Access Token Example

If the token is invalid, expired, or missing, the API returns:

{
  "status": {
    "status_code": 401,
    "errors": [
      {
        "message": "A valid access_token is required",
        "code": "invalid_access_token"
      }
    ]
  },
  "data": {}
}

FAQ

1. Why am I getting “You do not have a valid client_id or client_secret”?

This error usually means the credentials being used do not match the environment you are authenticating against.

Common causes:

  • Reusing keys across different environments - attempting to authenticate against Sandbox using Production credentials (or vice versa).

How to resolve

  • Confirm the client_id and client_secret belong to the environment you are calling.
  • Regenerate credentials in the correct environment if necessary.
  • If the issue persists, please contact: [email protected]

2. Why am I getting “A valid access_token is required”?

This error occurs when:

  • The access_token header is missing.
  • The token has expired.
  • The token was generated from a deleted application.
  • The token was generated in a different environment.

How to resolve

  1. Generate a new access token using valid credentials.
  2. Replace the old token in your request headers.
  3. Retry the request.

Updated about 17 hours ago