DocumentationAuthentication

Authentication

Keys, idempotency, and safe request signing.

API keys

All write endpoints require an API key. Send it via header or query.

X-Access-Key: your-key

https://api.ssapi.com/v1/capture?access_key=your-key

Idempotency

Use Idempotency-Key to safely retry POST requests without duplicating work. Keys are cached for up to 24 hours.

Idempotency-Key: 7f9f6f1c-53b1-4df6-9a4a-8a2c6e1c1f02

Optional signatures

If you pass access_key via the query string, you can include a signature to prevent tampering. The server validates the signature when it is present.

import crypto from "crypto";

const accessKey = process.env.CAPTURE_KEY as string;
const secret = process.env.CAPTURE_SECRET as string;

const query = new URLSearchParams({ access_key: accessKey });
const unsigned = query.toString();
const signature = crypto.createHmac("sha256", secret).update(unsigned).digest("hex");

const url = `https://api.ssapi.com/v1/capture?${unsigned}&signature=${signature}`;

Public endpoints

These endpoints do not require authentication:

  • GET /v1/health
  • GET /v1/version
  • GET /v1/metrics
  • GET /v1/devices
Security

Never embed your API key in client-side code. Use server-side calls or a backend proxy.

Updated 1 day ago
Did this page help you?