Signup

Where users can sign up for access to an API, providing what is needed to onboard in a manual or automated way, reducing friction in putting to work. Sign up or registration can utilize existing standards like OpenAPI or native solutions which help make it as easy as possible for consumers to manually or automatically sign up to use an API.

Also known as: Registration, Onboarding, Account Creation, Provisioning

Example

- type: SignUp
  url: https://developers.example.com/signup

Standards

IETF RFC 7591 — OAuth 2.0 Dynamic Client Registration Protocol
IETF RFC 7592 — OAuth 2.0 Dynamic Client Registration Management Protocol
IETF RFC 7642 — SCIM Definitions, Overview, Concepts, and Requirements
IETF RFC 7643 — SCIM Core Schema
IETF RFC 7644 — SCIM Protocol
OpenID Foundation OpenID Connect Dynamic Client Registration 1.0
IETF RFC 6749 — OAuth 2.0 Authorization Framework
NIST NIST SP 800-63A — Enrollment and Identity Proofing
schema.org schema.org RegisterAction

HTTP Headers

Header	Direction	Spec	Description
`Authorization`	request	RFC 9110 §11.6.2	Initial registration access token (RFC 7591 §3) for management endpoints.
`Location`	response	RFC 9110 §10.2.2	URI of the newly created client / user resource.

Status Codes

201 Created — RFC 9110 §15.3.2 — New client, user, or tenant resource created.
400 Bad Request — RFC 9110 §15.5.1 — Invalid registration payload (RFC 7591 invalid_client_metadata).
409 Conflict — RFC 9110 §15.5.10 — Email / username / client_id already in use.
422 Unprocessable Content — RFC 9110 §15.5.21 — Semantically invalid signup data (e.g., disposable email).

Well-Known Paths

/.well-known/openid-configuration — OpenID Connect Discovery 1.0 — Exposes registration_endpoint for dynamic client registration.
/.well-known/oauth-authorization-server — RFC 8414 — Exposes registration_endpoint for OAuth 2.0 DCR.

Media Types

application/json — Default for RFC 7591 / SCIM 2.0 request and response bodies.
application/scim+json — RFC 7644 §3.1 — Required for SCIM 2.0 protocol exchanges.

OpenAPI Expression

components.securitySchemes (OpenAPI 3.x) — Signup endpoints often require an API key / bootstrap token defined here.
paths./register or /signup (OpenAPI 3.x) — Conventional signup operations exposed as createUser / registerClient.

Link Relations

registration_endpoint — OIDC Discovery / RFC 8414 (metadata key)
register — Used informally in HATEOAS payloads pointing to signup forms.

Governance Rules

oas-security-defined (Spectral built-in) — Public signup operations still need a documented security model (e.g., none + CAPTCHA).
owasp:api3:2023-no-additionalProperties (Vacuum / Spectral OWASP ruleset) — Block mass assignment on registration payloads.
owasp:api4:2023-rate-limit (Vacuum / Spectral OWASP ruleset) — Signup endpoints must be rate-limited to deter abuse.

Risk & Compliance

OWASP:

OWASP API Security Top 10: API3:2023 Broken Object Property Level Authorization (mass assignment via signup payloads)
OWASP API Security Top 10: API4:2023 Unrestricted Resource Consumption (signup as abuse vector)

Compliance:

GDPR Art. 6 / Art. 7 — lawful basis and consent collected at signup
GDPR Art. 8 — special protections for children's data
CCPA/CPRA — notice at collection
NIST SP 800-63A — identity proofing levels (IAL1–IAL3)
SOC 2 CC6.2 — registration and provisioning controls

Security: Signup is the favored abuse target for fraud, spam, and free-tier exploitation. Combine email/phone verification, CAPTCHA or device attestation, IP/ASN reputation, rate limits, and risk scoring. Enforce strict allowlist of properties (defense against mass assignment), capture consent records (terms acceptance, timestamp, version), and emit auditable events for downstream provisioning (SCIM CreateUser, RFC 7591 client_created).

Tools

Stytch — Hosted signup / passwordless
Clerk — Hosted signup
WorkOS Directory Sync — SCIM provisioning
Okta SCIM — SCIM provisioning
hCaptcha — Abuse prevention
Have I Been Pwned API — Breached-password screening

Suggested Metrics

signup_conversion_rate — Completed signups divided by signup-page visits.
signup_to_first_api_call_minutes — Time-to-first-hello-world after account creation.
email_verification_rate — Share of new accounts that verify their email/phone.
fraudulent_signup_block_rate — Share of signup attempts blocked by anti-abuse.
scim_provision_success_rate — Successful SCIM provisioning events / total events.

Example Implementations

Stripe — Self-service signup with test-mode keys before activation.
GitHub — User signup plus OAuth App / GitHub App registration flows.
Twilio — Signup grants trial credit and a verified sender number.
Slack — Workspace creation, app registration, and SCIM provisioning.

Signup

Example

Standards

HTTP Headers

Status Codes

Well-Known Paths

Media Types

OpenAPI Expression

Link Relations

Governance Rules

Risk & Compliance

Tools

Suggested Metrics

Example Implementations

Related Properties

Tags

Signup

This Page

Open & Ask

Example

Standards

HTTP Headers

Status Codes

Well-Known Paths

Media Types

OpenAPI Expression

Link Relations

Governance Rules

Risk & Compliance

Tools

Suggested Metrics

Example Implementations

Related Properties

Tags