Manage Dropbox Sign API keys
Authenticate API requests, manage Dropbox Sign API keys, and strengthen the security of your integrations.
5 Leitura de minutos
Your integration is ready to communicate with Dropbox Sign. Before it can send its first API request, it needs a secure way to identify itself and authenticate with the Dropbox Sign API.
That's where API keys come in.
In this module, you'll learn how to create, manage, and protect API keys, along with the security practices that help keep your integrations safe.
What are API keys?
API keys allow your application to securely communicate with Dropbox Sign.
Every API request must be authenticated so Dropbox Sign can verify who is making the request and determine what actions are permitted.
Think of an API key as a credential that identifies your integration and grants access to your Dropbox Sign account.
Note
A few things to keep in mind about API keys:
API keys remain active until you delete them.
The same API key can be used for both test mode and live mode. Whether a request runs in test mode or live mode is determined by the
test_modeparameter in the API request.Before deleting an existing API key, generate a new one and update your integration to use it.
Creating API keys
To create an API key:
Sign in to Dropbox Sign.
Open your account settings.
Select the API tab.
Click Generate key.
Best Practice
Give each API key a descriptive name that identifies both its environment and purpose. This makes it easier to manage multiple keys and reduces the risk of using the wrong one.
Examples:
Production – Customer portal
Development – HR onboarding
Testing – Contract management
Once generated, the API key can be used to authenticate API requests from your application.
Note
Treat API keys like passwords. Anyone with access to an API key may be able to make requests on behalf of your account.
After generating an API key, copy and store it in a secure location. You can access it again at any time from the API settings page.
API key limits
Dropbox Sign supports up to four active API keys per account. One key can be designated as the primary key, which is used for callback event hash verification when validating callback payloads.
Multiple keys can be useful when managing different environments or integrations.
Examples:
Production environment
Development environment
Testing environment
Internal automation tools
Using separate keys makes it easier to isolate activity and rotate credentials without affecting other integrations.
Note
Only the primary key can be used to validate callback payloads using event hash verification.
Understanding API authentication
Dropbox Sign uses HTTP Basic Authentication for API requests.
When authenticating:
The API key is used as the username.
The password field is left blank.
The API key identifies your integration and authorizes requests to the Dropbox Sign API.
Conceptual example
Application → API key → Dropbox Sign API
The API key acts as the credential that allows the request to proceed.
You don't need to memorize the technical implementation details for this course, but understanding how authentication works will help when troubleshooting integrations.
Note
API keys aren't the only way to authenticate with the Dropbox Sign API. If your integration uses OAuth, you'll authenticate with an access token instead.
You'll learn more about OAuth when we cover API Apps later in this course.
API key best practices
Proper API key management is one of the most important responsibilities for technical admins and developers.
Do
Store API keys securely.
Use separate keys for different environments.
Rotate API keys regularly.
Remove keys that are no longer needed.
Don't
Hardcode API keys directly into source code.
Share API keys through unsecured channels.
Commit API keys to repositories.
Reuse the same key across every environment.
Following these practices helps reduce security risk and simplifies long-term administration.
Managing multiple environments
Many organizations maintain separate environments for development, testing, and production.
Using dedicated API keys for each environment can help:
Improve security by separating development, testing, and production environments.
Reduce accidental changes affecting your production environment.
Simplify troubleshooting by isolating activity to a specific environment.
Support key rotation by keeping environments separate.
Example
Many organizations assign a different API key to each environment:
Development: Key A
Testing: Key B
Production: Key C
This approach creates clear separation between environments, making it easier to troubleshoot issues, rotate credentials, and reduces operational risk.
Security warning
If an API key is exposed or you suspect it has been compromised:
Generate a replacement API key immediately.
Update any affected integrations.
Remove the compromised key.
Review recent API activity for unexpected behavior.
The faster a compromised key is removed, the lower the potential security risk.
Best practice
Have a documented key rotation process before an incident occurs so your team can respond quickly if credentials need to be replaced.
You've established the secure connection your integration needs to communicate with Dropbox Sign.