The Finch API authenticates using JavaScript Web Token (JWT) Bearer authentication. The JWT is referred to as your API key.

How to obtain an API key?

Your application needs to be registered with Finch. We provide you with a client ID for your records.

To register your application, please email our team.

An organisation which uses Finch may then grant your application (client ID) access to their Finch data via the Finch API. When they do so, they will also specify a set of permissions defining what actions your application can perform. Which permissions you require should be agreed between you and the organisation.

This grant of access is provided to you as an API key. The API key is a secret credential and should not be revealed to your users, or shared.


You will receive a different API key for each organisation you need access to. You may also choose to use different API keys to control permission exposure.

API action permissions

Regardless of the action permissions your API key has, the specific data and workflows your application has access to is controlled by the organisation's access control lists (ACLs). Access control lists are currently managed by the Finch enterprise support team. To change the level of data access allowed to your application, please email our team.

ComposeAllows the application to compose and dispatch workflow envelopes to recipients.
FileAllows the application to read, file (and execute), cancel, update email addresses and send reminders for files stored in the Finch vault.