This error belongs to the HMAC request-signing scheme, which applies only to the v2 write surface (deferred and currently disabled). v1 reads are not signed — they authenticate with the API key as a Bearer token over TLS (see Authentication), so they never return this error. A failed read returns invalid_api_key instead. It is returned when the HMAC headers are missing, the signature doesn’t match, the timestamp is outside the ±300s window, or the nonce has already been used. 
{ "error": { "code": "invalid_signature", "message": "signature mismatch" } }
Fix (v2 write surface)
  • Sign the exact raw body bytes you send (don’t re-serialize after signing).
  • Send all three headers: X-CrewPass-Timestamp, X-CrewPass-Nonce, X-CrewPass-Signature: v1=….
  • Use a Unix timestamp in seconds, within ±300s of server time.
  • Use a fresh nonce per request — a replayed nonce (or a re-sent identical signed request) is rejected. See Authentication.
Verifying an outbound webhook delivery uses a separate signature scheme (no nonce). If a delivery fails to verify on your side, that’s a problem with your verification code, not this API error — see Webhooks.