Authentication
All API requests require a bearer token. You can authenticate with an API key or an OAuth 2.0 access token.
API Keys
Generate API keys from Settings → Integrations → API Keys in your dashboard. Keys start with ws_.
Pass the key as a bearer token in the Authorization header on every request:
Authorization: Bearer ws_live_your_key_here# Example request
curl https://worksignal.com/api/v1/roles \
-H "Authorization: Bearer ws_live_your_key_here"Keep keys secret
Never commit API keys to source control or expose them in client-side code. If a key is compromised, revoke it immediately from your dashboard and generate a new one.
Rate limits
| Plan | Limit | Reset |
|---|---|---|
| Free | 100 requests / day | Midnight UTC |
| Pro ($99/mo) | Unlimited | - |
When rate limited, the API returns HTTP 429 with a Retry-After header indicating seconds until reset.
OAuth 2.0 (for MCP and integrations)
WorkSignal implements OAuth 2.0 Authorization Code flow with PKCE for MCP server connections and third-party integrations. When you connect Claude Code or Cursor using the MCP setup, the OAuth flow runs automatically.
Authorization server metadata
GET https://worksignal.com/.well-known/oauth-authorization-server
Authorization endpoint
GET https://worksignal.com/oauth/authorize
Token endpoint
POST https://worksignal.com/oauth/token
Dynamic client registration (RFC 7591)
POST https://worksignal.com/oauth/registrations
For MCP-specific setup instructions, see the MCP Server guide.
Auth error responses
| Status | Meaning |
|---|---|
| 401 | Missing or invalid API key |
| 403 | Valid key, but not authorized for this resource or organization |
| 429 | Rate limit exceeded - check Retry-After header |