Skip to main content
Manual

Authentication (client API)

SDK key and project headers for the MotiSig AI client HTTP API.

The client API (SDK surface) expects:

HeaderRequiredDescription
X-API-KeyYesSDK key from Settings → API Keys (kind SDK).
X-Project-IDYesProject id from the MotiSig dashboard.

Do not use Authorization: Bearer … for this surface unless your integration explicitly targets a different MotiSig API product that documents Bearer auth.

Browser requests (web SDK)

When the Client API receives a request that looks browser-originated (for example it includes an Origin, Sec-Fetch-*, or Referer header), MotiSig also checks that origin against the project's allowed web domains list configured in the dashboard.

  • Web SDK / browser: the page origin must be on the allowlist. Until at least one domain is saved, browser calls return 403.
  • Native mobile (iOS, Android, Expo): no browser origin headers — domain allowlist is not enforced.
  • Server-side scripts: requests without browser headers skip the origin check (SDK key validation still applies).

Configure origins under Settings → API Keys → SDK → Allowed web domains. See Allowed web domains for format and limits.

Exact routes and schemas are in the OpenAPI document and interactive docs.