Skip to content

Authentication

API keys (REST)

Send your key as a Bearer token on every request:

Terminal window
curl https://api.signals.ai/v1/coverage/AAPL \
-H "Authorization: Bearer sk_live_…"

Keys are created and managed at developers.signals.ai. The secret is shown once at creation — we store only a salted hash, so if you lose it, rotate it.

Live vs test keys

PrefixBehavior
sk_live_…Counts against your plan’s limits.
sk_test_…Clamped to Free-tier limits; use in CI and sandboxes.

A missing or invalid key returns 401 with a WWW-Authenticate: Bearer header. Clerk session tokens are not accepted on the REST surface — that’s the internal app’s auth, not the developer API’s.

OAuth (MCP server)

The MCP server accepts two auth lanes:

  • API key — paste sk_live_… as a Bearer header in your MCP client config (Claude Code, Cursor, self-hosted).
  • OAuth 2.1 — the one-click “Connect” flow in the Claude and ChatGPT marketplaces. The server is an OAuth resource server; it advertises its authorization server via /.well-known/oauth-protected-resource and validates that tokens are scoped mcp:tools and audience-bound to the MCP endpoint.

Rate limits

Every response carries X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset (epoch seconds). A 429 includes Retry-After. See rate limits for per-tier quotas and endpoint weights.