Home > API Reference > Document Processing > Sign Document

Sign Document

Business applications can use this service API to sign a document (both electronic and digital) without displaying the document to the end user using SigningHub.  For example, a business application may have another method to display the document to the user, and only the signing functionality of SigningHub is required, or for bulk operations it may be justified to sign without requiring the user to view and approve every document individually.  If there are changes to be saved in the document before signing, Fill Form Fields API should be called before calling the Sign Document API.  Note any mandatory input fields on a document require completing before this API will successfully complete.

The signatory is identified by the access token presented in the call.  Therefore, authentication of the signatory is required prior to making this call.  You cannot authenticate as an Enterprise Admin with the scope variable, and sign a document on behalf of a user.  The access token must be issued to the signatory as a result of direct authentication.

When this call completes it is important that if the signatory was the last signer for a document that the Finish Document API call is invoked.  The reason is because without calling that API the document will remain in a status of "In Progress" to the document owner.  Once the API has been called, the status will change to "Completed" for the document owner.

Once document is signed, the verification response can be seen from Get Document Verification API.

First or Second Factor OTP Usage for Authentication

If OTP authentication is turned on for the server side signing operation, client applications will need to generate a OTP for the mobile number using Signer Authentication via OTP API call.  Respective business applications must retrieve the OTP from the use and submit it when making the API call.  This is done using the "x-otp" header in the request. 

https://api.signinghub.com/v3/packages/{package_id}/documents/{document_id}/sign

HTTP Verb

POST

Content-Type

application/json

Accept

application/json

Authorization

Bearer {access_token}
x-otp (optional) '456789'

Request Body

{
   "field_name": "signinghub_signature_field_name",
   "hand_signature_image": "base64",
   "signing_reason": "Witness Signature Reason",
   "signing_location": "Lahore",
   "contact_information": "00923331234567",
   "user_name": "John Doe",
   "user_password": "Password123!",
   "appearance_design": "HAND_SIGNATURE",
   "signing_capacity": "Certification Profile 1",
   "witness_signing_capacity": "Signing Profile 1",
    "skip_verification": "false" 
}

Status Code

Message

Response Body

200

OK

{
   "field_name": "signinghub_signature_field_name",
    "status": "SIGNED"   
    "verification": {
      "field_name": "signinghub_signature_field_name",
      "signer_name": "John",
      "signer_photo": "base64",
      "signature_status": "valid",
      "signing_reason": "Witness Signature Reason",
      "signing_location": "Pakistan",
      "contact_information": "7544323243",
      "signing_time": "2015-09-08T07:29:33",
      "ltv": true,
      "qualified": false,
      "certified": false,
      "certify_permission": "NO_CHANGES_ALLOWED",
      "timestamp_at": "2015-09-08T07:29:35",
      "timestamp_authority": "Ascertia",
      "subject_dn": "CN=John",
      "issuer_dn": "O=Ascertia,CN=Ascertia Docs CA 1",
      "cert_valid_from": "2015-09-08T07:29:33",
      "cert_valid_to": "2015-09-08T07:29:33",
      "signature_type": "PADES_PART2",
      "signature_algorithm": "SHA256",
        "signed_hash": "8RmV1Ulb9w+0T+gq8z3HUP8dYzDuLzBLe5CDFDrVnoA=",
      "signature_application": "Ascertia",
      "signature_policy_id": 0,
      "signature_policy_uri": null
        "error_message": null
   }
}

401

Unauthorized
{
  "Message": "Request authorization denied"
}
{
  "Message": "User authentication required"
}

403

Forbidden
{
  "Message": "Document does not belong to user"
}
{
  "Message": "Invalid Signature appearance name"
}
{
 "Message": "You cannot access this document after the access period ends"
}
{
  "Message": "Account is disabled"
}
{
 "Message": "You are not allowed to perform the requested operation"
}
{
  "Message": "Your signatures limit has been reached"
}
{
  "Message": "Could not upload file  -  it is infected by malware"
}

404

Not Found
{
  "Message": "Document not found"
}

500

Internal Server Error
{
  "Message": "An internal server error occurred while processing the request"
}

The detail of each item provided in the request and response is provided below:

Item Details
 Names
  Description
 Request Parameters
 access_token The access token obtained as a result of successful authentication. As stated above, the "scope" variable cannot be used in this instance.  Only the authenticated user can sign documents using this API call.
 x-otp (optional) OTP used as a second factor authentication for the signing operation.
 package_id The identifier of the package that contains the document for signature.
 document_id Identifier of the document to be signed.
 field_name
 Unique identifier of the signature field in the document.
 hand_signature_image
 Base64 encoded string image of the visible signature appearance, which is placed onto the document.  Note this can be retrieved from the user's personal settings using this call.  (The response is binary, so the business application must then Base64 encode it before submitting in this API call.)
 signing_reason (optional)
 Reason of signing provided by the recipient.
 signing_location (optional)
 Locale of the signer provided by the recipient.
 contact_information (optional)
 Contact information of the signer provided by the recipient.
 user_name (optional)
Name of the signer provided by the recipient.  Note this applies to in-person signing operations only.
 user_password (optional)
 Password provided by the user subject to user's signature settings.
 appearance_design (optional)

 Name of the signature appearance provided by user for signing. In case no appearance name is provided then default selected appearance would be used. Possible values are  "COMPANY_LOGO","DETAILED_SIGNATURE","HAND_SIGNATURE"
 signing_capacity (optional) Name of certification profile/signing capacity using which the document is to be signed. If not provided the default capacity will be used to sign. Provided name must be exactly same as of the actual profile due to case sensitivity.
Additionally Capacity Name that is added by an enterprise Admin can also be used within same parameter.
witness_signing_capacity (optional)   Name of signing profile/signing capacity using which the document is to be witness signed. If not provided the default capacity will be used. Provided name must be exactly same as of actual profile due to case sensitivity.
 skip_verification (optional) No signature verification returns in response body when it is set as true. Default value for this parameter set to false.
 Response Parameters
 field_name Name of the field for which the verification was requested.
 status Returns the status of signature field. Values are SIGNED, PENDING. Status helps in eIDAS enabled remote authorized signing. If sign request is sent to mobile the status is pending.  
 signer_name Name of the signer.
 signer_photo Base64 image of the signer's avatar.
 signature_status If the overall status of the signature is valid or not. Possible values are "VALID" or "INVALID".
 signing_reason Reason provided by the user while signing the field. In case of witness signing, custom signing reason would be set
 signing_location Location entered by the user while signing the field.
 contact_information Contact information entered by the user while signing the field. 
 signing_time Date and time of signing in 8601 format. Default timezone from SH Admin is followed the the time. 
 
 ltv True, if signature is LTV. 
 qualified True, if signatures are qualified. 
 certified True, if signatures are certified. 
 certify_permission Permission level for certified digital signature.
 timestamp_at Date and time when signature was time-stamped.
 timestamp_authority Authority by which the signature was time-stamped.
 subject_dn Subject DN from the certificate used while signing the field.
 issuer_dn Issuers DN from the certificate used while signing the field. 
 cert_valid_from Date and time from which the certificate is valid. 
 cert_valid_to Date and time to which the certificate is valid.
 signature_type Type of signatures, possible values are "PADES_PART2" or "PADES_PART4".
 signature_algorithm Signature algorithm used while signing the field.
 signed_hash

 Hash of the document that was signed in respective signature. 
 signature_application Application name from where the field was signed.
 signature_policy_id Signature policy ID.
 signature_policy_uri Signature policy URI.
 error_message  An error  message returns in case the application unable to get verification results.
 Message The service specific error message returned by the API. This message provides useful information about why the service has returned an error response.




See also
Signer Authentication via OTP (Users, In-persons, E-Signers)
Fill Initials
Fill Form Fields
Decline Document
Approve Document
Submit Document
Recall Document
Finish Processing
Get Registered Devices
Authorisation Signing Request Status