Authentication
All API access uses OAuth2 client credentials.
- Token endpoint:
https://test.sign.swisscom.ch/realms/swisscom-public/protocol/openid-connect/token - Main scopes:
sswp:process:create,sswp:process:read,sswp:process:read:all - Contract endpoint:
https://test.sign.swisscom.ch/system/api-docs
Example token request:
curl --request POST \
--url https://test.sign.swisscom.ch/realms/swisscom-public/protocol/openid-connect/token \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET'
Use the resulting bearer token when calling the process endpoints.
Security note
The API explorer is intended as a quick test tool for integrators. If you use the built-in authentication flow in the browser:
- your
client_idandclient_secretare entered client-side - browser extensions, injected scripts, or shared-device browser state can increase exposure
- this is acceptable for controlled testing, but it is not the recommended production integration pattern
For production integrations, Swisscom Sign should be called from your own backend so client credentials are handled server-side.