Skip to main content
This page documents the HTTP headers used to transmit Sumvin identity credentials from a user’s request to your service, and the headers you use when calling SIS yourself.
Two credentials, two headers. Inbound user requests carry the JWT in x-sumvin-pint-token. Outbound calls to SIS (revocation checks, JWKS fetches, token exchange) use your SIS API key in Authorization: Bearer. Do not conflate them.

Identity Headers (Inbound)

These headers arrive on requests from a user’s client (or an upstream SIS API caller) to your service.

X-Sumvin-Pint-Token

x-sumvin-pint-token: <jwt>
Present on all requests carrying Sumvin credentials (both Standard and Enhanced tier). Contains the SIS-signed PINT JWT as a raw compact-serialized JWT — no Bearer prefix.
PropertyValue
RequiredYes
FormatCompact-serialized JWT (no prefix)
VerificationValidate against JWKS

X-Pint-Signature

X-Pint-Signature: 0x...
Present only on Enhanced tier requests. Contains the hex-encoded EIP-712 signature from the original Purchase Intent.
PropertyValue
RequiredEnhanced tier only
FormatHex-encoded signature with 0x prefix
VerificationRecover the signer address via EIP-712 typed data recovery

X-Pint-Payload

X-Pint-Payload: eyJ3YWxsZXQiOiIweEUyM2M5QTcwQkM3NDlFQmRkZDhj...
Present only on Enhanced tier requests. Contains the base64-encoded JSON of the signed PINT payload.
PropertyValue
RequiredEnhanced tier only
FormatBase64-encoded JSON object
ContentThe PurchaseIntent payload as signed
Decoded example: 
{
  "wallet": "0xE23c9A70BC749EBddd8c78a864fd911D04E9e992",
  "nonce": 42,
  "statement": "Purchase authorization for partner X",
  "scopes": ["sr:us:pint:identity:proof_of_personhood", "sr:us:pint:spend:execute"],
  "resources": ["sr:us:pint:abc123"],
  "maxAmount": 10000,
  "maxAmountToken": "0x0000000000000000000000000000000000000000",
  "expiresAt": 1740000000
}

SIS API Key (Outbound)

When you call authenticated SIS endpoints (for example, to check PINT revocation status or exchange a signed PINT for a JWT), authenticate with your SIS API key using the Authorization header. The JWKS endpoint is the one exception — it is public and must be called without this header. 
Authorization: Bearer <SIS_API_KEY>
PropertyValue
RequiredYes, for authenticated outbound calls to SIS (all except the JWKS endpoint, which is public)
FormatBearer followed by the Unkey-backed API key issued to you during partner onboarding
Used onRevocation checks, token exchange. The JWKS endpoint is publicly accessible and must be called without an Authorization header.
Never forward a user’s PINT JWT in the Authorization header. The PINT JWT belongs in x-sumvin-pint-token. The Authorization: Bearer header is reserved for your SIS API key on outbound calls.

Header Presence by Tier

HeaderStandard (Tier 1)Enhanced (Tier 2)
x-sumvin-pint-tokenPresentPresent
X-Pint-SignatureAbsentPresent
X-Pint-PayloadAbsentPresent

Detecting the Tier

You can determine the verification tier from either the JWT claims or the presence of headers: From JWT claims (preferred): 
const tier = jwtPayload.verification_tier; // "standard" or "enhanced"
From header presence: 
const isEnhanced =
  request.headers.has("x-pint-signature") &&
  request.headers.has("x-pint-payload");
If the JWT claims "enhanced" but the PINT headers are missing, reject the request — the credentials are incomplete.