Reference

Rate limits, error codes, webhook events, and the changelog for Signward.

Operational reference for integrating with Signward in production. For integration tutorials see the Guides, for the full endpoint list the API reference.

Rate limits

All requests are counted per IP and per tenant. Limits reset on a rolling window. The response carries standard rate-limit headers.

Endpoint class Default limit Plan override
/connect/token 10 req / min / IP Pro+: 60 req / min
/connect/authorize, /connect/userinfo 60 req / min / IP Pro+: 300 req / min
/.well-known/* Unlimited (static discovery) n/a
/api/webhooks (admin) 60 req / min / user Pro+: 300 req / min

429 response

HTTP/1.1 429 Too Many Requests
Retry-After: 42
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1776854041
Content-Type: application/json

{
  "type": "https://tools.ietf.org/html/rfc6585#section-4",
  "title": "Too Many Requests",
  "status": 429,
  "retryAfterSeconds": 42
}

Error codes

Problem Details (RFC 7807) is the canonical shape. Common title / status pairs:

Status Title When
400 Bad Request Validation failed Missing or malformed fields. Details in errors map.
401 Unauthorized Unauthorized Missing or invalid bearer token.
403 Forbidden Forbidden Token valid but role / policy denies the action.
404 Not Found Tenant not found Host / X-Tenant-Id didn't resolve to an active tenant.
409 Conflict Email already in use Unique constraint on email, subdomain, etc.
423 Locked Tenant locked Billing failure or subscription expired. Owner must update payment.
429 Too Many Requests Rate limit exceeded See Rate limits.

Webhook events

Delivered as POST {your-url} with headers:

  • Signward-Signaturet=<unix>,v1=<hex-hmac-sha256> (see the Webhooks guide for verification)
  • Signward-Event — event name
  • Signward-Delivery-Id — UUID for idempotency

User lifecycle

  • user.created
  • user.updated
  • user.deleted
  • user.login
  • user.login_failed
  • user.password_reset_requested
  • user.mfa_enabled
  • user.mfa_disabled

Billing

  • subscription.created
  • subscription.updated
  • subscription.canceled
  • invoice.paid
  • invoice.payment_failed

Admin / operator

  • tenant.locked
  • tenant.unlocked
  • tenant.deletion_requested
  • tenant.deletion_completed

API changelog

Signward's public API surface has been stable since the v0.1x series. This changelog lists integration-affecting changes only — new endpoints, breaking changes, and security fixes that need action on your side.

Current version: v1.0.0 (2026-06-02). The 1.0 release introduces no breaking changes to the public integration surface.

Security updates to be aware of

  • v0.17.5 — Access tokens are no longer accepted as a query-string parameter on OIDC callback endpoints (?access_token=...). If your integration pinned a GET URL carrying a token, switch to the POST form-bridge pattern shown in the .NET SDK.

Breaking changes will be announced here at least one release in advance.