Web API (Lambda) Reference¶
The SaaS Signer Lambda Web API provides cryptographic signing operations, key management, and policy-based approval workflows.
API Version: v1 - All endpoints are prefixed with /v1/ for versioning.
API Documentation¶
The documentation shows all available endpoints, request/response schemas, and examples.
Quick Reference¶
Authentication¶
All requests must be signed using AWS Signature Version 4 (SigV4) authentication. Include an Authorization header with the request.
Request Format¶
All requests use JSON with a required action field:
Available Actions¶
- sign - Sign a hash with policy evaluation
- pkcs11_sign - Sign using PKCS#11-compatible algorithm selection
- approve_sign - Approve a pending signature request
- create_tenant - Create a new tenant with KMS key
- rotate_key - Rotate tenant's signing key
- get_import_params - Get parameters for external key import
- import_key - Import externally-generated key material
- get_public_key - Retrieve tenant's public key
- create_exception - Create a policy exception
- list_exceptions - List policy exceptions
- revoke_exception - Revoke a policy exception
Policy Evaluation¶
The /sign and /pkcs11_sign endpoints include policy evaluation. Responses can be:
- 200 OK - Signature created and policy allowed
- 202 Accepted - Policy decision pending (approval or security review)
- 403 Forbidden - Policy denied with violation details
- 400 Bad Request - Invalid request
OpenAPI Specification¶
The full OpenAPI 3.0.0 specification is available at /api/openapi.yml.
You can view it in: - Swagger UI (interactive testing) - ReDoc (browsable reference)