API essentials for Dropbox Sign admins
This module equips Dropbox Sign admins with the foundational knowledge needed to securely manage, monitor, and optimize API integrations. You’ll learn how to access the API tab to generate and manage API keys, navigate the API Dashboard for performance insights, configure webhooks via account callback URLs for real-time event tracking, and build embedded signing workflows using API apps. The course also walks through the app approval process required for production use of embedded and OAuth flows, and highlights best practices for key security, authentication, and staying informed on platform updates. Whether you're setting up your first integration or scaling across teams, this module ensures you're API-ready with confidence. For deeper technical reference, visit the Dropbox Sign API documentation.
10 min de lectura
Accessing the API tab
To begin utilizing the API, you'll first need to access the API tab in your Dropbox Sign account. After logging into your account, navigate to the left-hand sidebar and click on Settings, then select the API tab. From here, you can generate and manage your API keys, which uniquely identify your application and authenticate all API requests. Each account can have up to four active API keys, giving you flexibility across different use cases—like separating production and test environments or managing multiple integrations. Additionally, having multiple keys makes it easier to rotate them regularly, which we recommend as a good security practice.
You can learn more about accessing the API tab in the Dropbox Sign API overview.
API Dashboard
The Dropbox Sign API Dashboard is a powerful tool designed to give admins visibility into the health and performance of their API integrations. Whether you're in the early stages of development or managing a live environment, the dashboard offers real-time insights that help you track how the API is being used across your team.
Once inside your account’s API Settings, you can access the API Dashboard from the API section of your account. It provides a centralized view of all API activity, both from test and live environments, organized into clear, interactive visualizations. These charts allow you to filter data by time frame, endpoint, and HTTP status codes, making it easy to identify trends or troubleshoot issues like frequent 400 or 429 error responses.
The dashboard also highlights usage patterns, including the number of API requests made and quota consumption over time. This is particularly useful for tracking how close you are to plan limits, ensuring that your integration continues to run smoothly without hitting rate caps or delays during peak usage.
If your organization manages multiple API applications across different team member accounts, the dashboard includes a Team Admin Global View feature that allows you to track team member API usage. This lets admins seamlessly switch between team member details to oversee API usage at scale, making it easier to ensure consistency and efficiency across departments or clients. Team Global Admin View also enforces the multi-teams access & controls determined by the team member’s organizational role. This enables admins to effectively collaborate with their teams, while ensuring sub-team’s admins only have access to their respective sub-team’s account activity.
To learn more about the API Dashboard, read the API Dashboard Handbook.
API key management
Viewing your API key
To access your API key, log in to your Dropbox Sign account. Click on your avatar in the upper-right corner, select Settings, and then navigate to the API tab. If an API key has already been generated, click Reveal key to view it. If not, click Create key to generate a new one. Each account can have up to four active API keys, allowing for flexibility in managing different environments or applications.
Keeping your API key secure
Your API key is a sensitive credential that grants access to your Dropbox Sign account. To ensure its security:
- Do: - Store your API key securely, such as in environment variables or a secure credential manager. 
- Rotate your API keys periodically, at least once a year, or immediately if you suspect a compromise. 
- Limit the number of active API keys to the minimum necessary. 
 
- Don't: - Share your API key publicly or include it in client-side code. 
- Embed your API key directly in your application's source code. 
- Use the same API key across multiple applications or environments without proper segregation. 
 
If you believe your API key has been compromised, generate a new key and delete the old one immediately.
Authenticating API requests using your API key
Dropbox Sign uses HTTP Basic Authentication for API requests. To authenticate, include your API key as the username and leave the password blank. This can be done by setting the Authorization header in your HTTP request.
By following these guidelines, you can effectively manage and utilize your Dropbox Sign API key while maintaining the security and integrity of your integrations. Go to the Authentication Guide to learn more.
Account event callbacks
To start receiving event notifications from Dropbox Sign, you’ll need to configure your callback URL within the API Settings page of your account, specify which event types you want to listen for, and ensure you verify payloads and handle them securely. For detailed instructions on how to set this up, visit our Account Callback API guide.
Managing API apps
What is an API app and why do you need one?
If you're planning to embed Dropbox Sign into your own product or build a custom signing experience, you’ll need to create an API App. This app acts as your integration’s identity and enables you to securely access Dropbox Sign features through our API.
Creating an API app is required for:
- Embedded signing flows (documents signed within your app) 
- White-labeled implementations (customizing the interface to reflect your brand) 
- Advanced authentication like OAuth 2.0 
Think of it as your gateway to building a deeply integrated, branded signing experience. It not only defines how your integration behaves, but also allows you to configure key settings, like an app-level event callback URL. This is especially useful if you’ve assigned specific apps to certain teams or users, as it helps you track and manage events separately across different apps.
Step-by-step: How to create your API app
To get started, make sure you have a Dropbox Sign account with API access (this may require an upgraded plan).
Access your API settings
Start a new API app
Click Create Application and retrieve your Client ID
API app approval process
You must seek approval if your application uses:
- Embedded features: Such as Embedded Signing, Embedded Requesting, or Embedded Templates. 
- OAuth workflows: Where your app acts on behalf of users via Dropbox Sign OAuth. 
For non-embedded workflows, app approval isn't required; you can remove `test_mode` and proceed with production signature requests according to your subscription plan. 
How to get approved
There are two pathways to app approval:
- Self-Publish: Ideal for straightforward integrations. 
- Support-Assisted Approval: Recommended for complex workflows or when guidance is needed 
Regardless of the path, you'll need to:
- Provide a demo showcasing the complete user workflow. 
- Ensure your API implementation is correct and functional. 
- Submit necessary details like your app's Client ID and callback URLs. 
Note: While you can initiate the approval process before subscribing to a paid plan, production API calls require an active paid plan.
Post-approval steps
Once approved:
- Remove - `test_mode`from your API requests.
- Eliminate - `skipDomainVerification`from client-side embeds.
- Begin using Dropbox Sign's eSignature features in your production environment 
For detailed guidance on the approval process, including submission forms and best practices, refer to the App Approval Overview.
Final notes and best practices for Dropbox Sign API admins
As an admin overseeing your organization’s Dropbox Sign API integration, keeping your implementation secure, stable, and up-to-date is critical. Below are some final tips to ensure your API usage stays best-in-class:
- Rotate API keys regularly 
 Treat your API keys like passwords—rotate them periodically to minimize the risk of long-term exposure. If a key becomes compromised, rotating it quickly helps mitigate security risks without interrupting your service.
- Monitor via the API Dashboard weekly 
 Use the Dropbox Sign API Dashboard to keep tabs on activity, usage trends, and error logs. Regular weekly checks allow you to catch anomalies early and maintain performance.
- Secure API credentials 
 Always store your API keys in a secure, encrypted environment. Avoid hardcoding credentials or exposing them in public repositories.
- Stay informed with developer change logs 
 Dropbox Sign evolves, new features roll out, endpoints get deprecated, and behaviors can change. Subscribe to the developer changelog and follow support channels to stay in the loop on any updates that may affect your integration.
For full API documentation, code samples, and advanced implementation guides, visit the Dropbox Sign Developer Hub.