Web API (Lambda) Reference

The SaaS Signer Lambda Web API provides cryptographic signing operations, key management, and policy-based approval workflows.

API Version: v1 - All endpoints are prefixed with /v1/ for versioning.

API Documentation

Open ReDoc →

The documentation shows all available endpoints, request/response schemas, and examples.

Quick Reference

Trial Sandbox (no account required)

Try the signing workflow before creating an account:

curl -X POST https://sign.leftcoastlogics.com/trial/sign \
  -H "Content-Type: application/json" \
  -d '{"hash":"LCa0a2j_xo_5m0U8HTBx40y-ztLk-fKv5s3P0H0P1C0=","algorithm":"RSASSA_PKCS1_V1_5_SHA_256"}'

Add "mode":"real" to get a real PKCS#1 signature from a shared test KMS key. The private key is published at docs.leftcoastlogics.com/trial-test-key.pem so you can verify it offline.

Authentication

Production endpoints require an API key obtained via GitHub OAuth sign-in. Include it as a Bearer token:

Authorization: Bearer <your-api-key>

Sign in (browser): redirect to GET /oauth/start

Sign in (CLI/device flow):

# Step 1: get user code
curl -X POST https://sign.leftcoastlogics.com/oauth/device/start

# Step 2: visit verification_uri and enter user_code in browser

# Step 3: poll until approved
curl -X POST "https://sign.leftcoastlogics.com/oauth/device/poll?device_code=<code>"
# → returns {api_key, tenant_id} when authorized

Production Request Format

All production requests use JSON with a required action field:

{
  "action": "sign",
  "tenant_id": "my-tenant",
  "hash": "base64-encoded-hash",
  "sbom": "..."
}

Available Actions

Signing:

• sign - Sign a hash with policy evaluation
• pkcs11_sign - Sign using PKCS#11-compatible algorithm selection
• approve_sign - Approve a pending signature request

Tenant & Key Management:

• create_tenant - Create a new tenant with KMS key
• rotate_key - Rotate tenant's signing key
• get_public_key - Retrieve tenant's public key
• get_import_params - Get parameters for external key import
• import_key - Import externally-generated key material

Policy:

• create_exception - Create a policy exception
• list_exceptions - List policy exceptions
• revoke_exception - Revoke a policy exception

Policy Evaluation

The /sign and /pkcs11_sign endpoints include policy evaluation. Responses can be:

• 200 OK - Signature created and policy allowed
• 202 Accepted - Policy decision pending (approval or security review)
• 403 Forbidden - Policy denied with violation details
• 400 Bad Request - Invalid request

OpenAPI Specification

The full OpenAPI 3.0.0 specification is available at /api/openapi.yml.

You can view it in:

• Swagger UI (interactive testing)
• ReDoc (browsable reference)