Authentication
API keys (REST)
Send your key as a Bearer token on every request:
curl https://api.signals.ai/v1/coverage/AAPL \ -H "Authorization: Bearer sk_live_…"Keys are created and managed at developers.signals.ai. The secret is shown once at creation — we store only a salted hash, so if you lose it, rotate it.
Live vs test keys
| Prefix | Behavior |
|---|---|
sk_live_… | Counts against your plan’s limits. |
sk_test_… | Clamped to Free-tier limits; use in CI and sandboxes. |
A missing or invalid key returns 401 with a WWW-Authenticate: Bearer header.
Clerk session tokens are not accepted on the REST surface — that’s the
internal app’s auth, not the developer API’s.
OAuth (MCP server)
The MCP server accepts two auth lanes:
- API key — paste
sk_live_…as a Bearer header in your MCP client config (Claude Code, Cursor, self-hosted). - OAuth 2.1 — the one-click “Connect” flow in the Claude and ChatGPT
marketplaces. The server is an OAuth resource server; it advertises its
authorization server via
/.well-known/oauth-protected-resourceand validates that tokens are scopedmcp:toolsand audience-bound to the MCP endpoint.
Rate limits
Every response carries X-RateLimit-Limit, X-RateLimit-Remaining, and
X-RateLimit-Reset (epoch seconds). A 429 includes Retry-After. See
rate limits for per-tier quotas and endpoint
weights.