Manual
Authentication (client API)
SDK key and project headers for the MotiSig AI client HTTP API.
The client API (SDK surface) expects:
| Header | Required | Description |
|---|---|---|
X-API-Key | Yes | SDK key from Settings → API Keys (kind SDK). |
X-Project-ID | Yes | Project id from the MotiSig dashboard. |
Do not use Authorization: Bearer … for this surface unless your integration explicitly targets a different MotiSig API product that documents Bearer auth.
Browser requests (web SDK)
When the Client API receives a request that looks browser-originated (for example it includes an Origin, Sec-Fetch-*, or Referer header), MotiSig also checks that origin against the project's allowed web domains list configured in the dashboard.
- Web SDK / browser: the page origin must be on the allowlist. Until at least one domain is saved, browser calls return 403.
- Native mobile (iOS, Android, Expo): no browser origin headers — domain allowlist is not enforced.
- Server-side scripts: requests without browser headers skip the origin check (SDK key validation still applies).
Configure origins under Settings → API Keys → SDK → Allowed web domains. See Allowed web domains for format and limits.
Exact routes and schemas are in the OpenAPI document and interactive docs.