Skip to main content

API Keys

Your API key and secret authenticate every request your system makes to Sigma. Sigma issues a key and secret pair and both must be included as custom headers on every API request: 
apiKey: YOUR_API_KEY
apiSecret: YOUR_API_SECRET
Both values are available from the API & Webhooks page in your account. To view or generate API keys:
  1. Log in to Sigma
  2. Click My Account
  3. Go to API & Webhooks → API
  4. Copy your existing key and secret, or click Generate New Keys to create a new pair
Generating new keys immediately invalidates the previous pair. Any systems using the old keys will stop working until updated. Only regenerate keys if the current keys have been compromised.
Best practices:
  • Store your API key and secret in environment variables, not in source code
  • Never expose them in client-side applications or public repositories
  • Restrict access to the IP ranges your servers use, if your infrastructure supports it
  • Rotate keys periodically as part of your security hygiene

Webhooks

Webhooks are how Sigma delivers asynchronous results back to your system. For example, transaction decisions from webhook-mode submissions and CDD workflow outcomes are sent to your configured webhook URL. When an event completes, Sigma sends an HTTP POST request containing the result payload to the webhook URL you have configured for that product. To set up a webhook URL:
  1. Log in to Sigma
  2. Click My Account
  3. Go to API & Webhooks → Webhooks
  4. Enter your webhook URL for each product (Transaction Monitoring, AML, CDD)
  5. Save
Each product has its own webhook URL, so you can route results to different endpoints in your system. Receiving webhook events: Your endpoint must:
  • Accept POST requests
  • Return a 200 OK response promptly to acknowledge receipt
  • Process the payload asynchronously if handling takes time (return 200 first, then process)
If Sigma does not receive a 200 response, it will retry delivery with exponential backoff. Webhook payload structure: 
{
  "event": "transaction.decision",
  "timestamp": "2025-01-15T14:30:00.000Z",
  "data": {
    "transaction_id": "txn-001",
    "action": "REVIEW",
    "risk_level": "medium",
    "triggered_rules": ["Large Transaction Amount"]
  }
}
The event field identifies the type of result. The data object contains the full result payload for that event type.