Skip to main content

Authentication

All API access uses OAuth2 client credentials.

  • Token endpoint: https://test.sign.swisscom.ch/realms/swisscom-public/protocol/openid-connect/token
  • Main scopes: sswp:process:create, sswp:process:read, sswp:process:read:all
  • Contract endpoint: https://test.sign.swisscom.ch/system/api-docs

Example token request:

curl --request POST \
--url https://test.sign.swisscom.ch/realms/swisscom-public/protocol/openid-connect/token \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET'

Use the resulting bearer token when calling the process endpoints.

Security note

The API explorer is intended as a quick test tool for integrators. If you use the built-in authentication flow in the browser:

  • your client_id and client_secret are entered client-side
  • browser extensions, injected scripts, or shared-device browser state can increase exposure
  • this is acceptable for controlled testing, but it is not the recommended production integration pattern

For production integrations, Swisscom Sign should be called from your own backend so client credentials are handled server-side.