Authentication: Sign In and API Access in Safeclose
Sign in with email, password, or SSO, then use your active session token to authenticate every Safeclose API call with a Bearer header.
Safeclose authenticates every user and every API call. This page covers how to sign in through the web app and how to use your session token to make authenticated API requests.
Safeclose provides two ways to sign in, both available at /sign-in:
Email and password — Enter the email address and password you registered with at /sign-up.
SSO — If your organization has single sign-on configured, select the SSO option on the sign-in page and you’ll be redirected through your identity provider.
To create a new account, go to /sign-up. To reset a forgotten password, go to /forgot-password.
Safeclose uses first-party sign-in pages hosted on the same domain as the app. You will not be redirected to an external authentication portal.
All routes except the sign-in, sign-up, and legal pages require an active session. If your session expires, you are redirected to /sign-in automatically.
The Safeclose REST API is versioned under /v1 and requires a Bearer token on every request. Your token is the JWT from your active Safeclose browser session — the same session that keeps you signed in to the web app.
Safeclose does not issue static API keys. Instead, tokens are short-lived JWTs tied to your active login session. To get one:
Sign in to Safeclose in your browser.
Open your browser’s developer tools.
In the Application (Chrome/Edge) or Storage (Firefox) panel, look under Cookies for your Safeclose domain, or use the Network panel to inspect a request to the Safeclose API and copy the Authorization header value (the part after Bearer ).
Session tokens expire when your session ends or when the token reaches its short lifetime. If you receive a 401 Unauthorized response, obtain a fresh token by refreshing your browser session and copying the updated JWT.
Sign in again in your browser and obtain a fresh session token
403 Forbidden
Token is valid but your role does not have permission for this resource
Check that your account has the required role (admin, manager, or signer) for the endpoint you are calling
If you consistently receive 403 errors on signing endpoints, your account may not be linked to a manager, admin, or signer record for the organization or location you are trying to access. Contact your organization admin to verify your role assignment.
What you can do through the API depends on your role in Safeclose:
Role
Access
Admin
Global read access across all organizations and locations; elevated signing directory
Manager
Scoped to the organizations and locations you are a member of; can create and manage signing packages
Signer
Access to your own assigned signing packages and documents only
A single account can hold more than one role. For example, a user who is both a manager and a signer sees both the management endpoints and the signer queue.
