Partner API Understand Secured Signing account systemGet partner account for yourselfCreate company account for your client (Type A)Create company account for your client (Type B)Add user to company account (Type A)Add user to company account (Type B)Understand Secured Signing API AuthenticationGet Access Token for partner accountGet Access Token for company accountGet Access Token for user accountPerform action on behalf of user accountAPI object detailsStep 1: Understand Secured Signing account systemIn Secured Signing account system, we have following kinds of accounts:Partner account: this account is right for you. Through it, you can manage your API settings and accounts for your client companies and their users.company account: this account is for your client company. You can group and manage this client’s users.There’re 2 types for client company account:Type A: this type is suitable for large company / enterprise, who may have branches, sectors or subsidiary. It will use Enterprise Edition planType B: this type is described for small company, who may want simple structure and easy payment method. It will use Pay as you Go or Team Edition planbranch account: this account is for branches, sectors or subsidiary of type A client company account. It’s called membership under an Enterprise Edition plan.user account: this user account is for your clients’ staff user. It represents the end users who own and send the document to sign.You can manage all these accounts via Secured Signing Partner API. By classifying and grouping these different kinds of accounts / users, you can have a clear view of by who what can be done, instead of a mess.Step 2: Get partner account for yourselfBy contacting Secured Signing and tell us what you’re looking for, we will setup your partner account properly. If you want to use our partner API, you will get:API KeyAPI SecretCallback Url: usually can be your company domainAnd the support to master the API.Before using Secured Signing Partner API, you may have a look at Additional 1 Understand Secured Signing API Authentication at bottom.Step 3A: Create company account for your client (Type A)Create a company account (Type A)Before performing this action, please refer to Addition 2 Get Access Token for partner account firstly.This API will create a new company account with a default branch account.The creating company account API request:API Endpoint:POST https://api.securedsigning.com/web/v1.4/Account/Membership Headers:please refer to Additional 1 Understand Secured Signing API Authentication.Body in JSON format (required properties only):{ "TermsOfUse": true, "Company": { "CompanyName": "", "StreetAddress": "", "City": "", "Country": "", //full country name, such as New Zealand, United States, not nz or us. "CountryCode": "", //international phone code, such as 64 for New Zealand, 1 for United States. "PhoneNumber": "", "ContactFirstName": "", "ContactLastName": "", "ContactEmail": "", "GMTOffset": 0 //The timezone difference in minutes, such as 780 for New Zealand Lightsaving Time, -480 for Pacific Time. } } Response in JSON format:{ "MembershipCode":"GMP9647", "Reference":"07904722718019222...164233115199186023189", "UpdateKey":"07418701004404012...514916199105219246133", "Result":"UpdateCC" } Please save MembershipCode, Reference, UpdateKey for this company account. You need them to get access token on behalf of the client company.Complete the payment for company accountIf it’s a new client company account, you need to setup its payment. Visit update URL below in a browserhttps://www.securedsigning.com/Utilities/LinkAccess.aspx?Key=[UpdateKey] Step 3B: Create company account for your client (Type B)Create a client company account (Type B)Before performing this action, please refer to Addition 2 Get Access Token for partner account firstly.The creating company account API request:API Endpoint:POST https://api.securedsigning.com/web/v1.4/Account/AddAccount Headers:please refer to Additional 1 Understand Secured Signing API Authentication.Body in JSON format:{ "User": { "FirstName": "", "LastName": "", "Email": "" //Basic information only, please set as much information as you can. }, "Plan":{ //can be null if client chooses Pay As You Go plan, maximum user up to 10. "PlanUsers":5, //maximum users can be added to this client account. "PlanDocuments":200 //maximum documents can be used per month for all user. }, "GMT":0 } Response in JSON format:{ "ConnectKey":"0741870100440401...28195165045067116199105219246133", "Result":"OK" } This API will create the client company account with an admin user, who will receive an activation email and need to do setup in Secured Signing before any action.Use connect key to get access token for this admin user account when performing action on its behalf. It can only be used once. Please refer to Additional 4 Get Access Token for user account to know how to get and refresh the access token.Step 4A: Add user to company account (Type A)Add a user to your client company accountBefore performing this action, please refer to Additional 3 Get Access Token for company account firstly.The Add User API request:API Endpoint:POST https://api.securedsigning.com/web/v1.4/Account/AddMembershipUser Headers:please refer to Additional 1 Understand Secured Signing API Authentication.Body in JSON format (required properties shown only, please refer to Additional 6 Full User object details.):{ "User":{ "FirstName":"", "LastName":"", "Email":"" }, "ClientReference":"" } Response in text, which is a key for this user account:18423119919508...2202031045067116199105219246133 Use this key to get access token for this user account when performing action on its behalf. It can only be used once. Please refer to Additional 4 Get Access Token for user account to know how to get and refresh the access token.Step 4B: Add user to company account (Type B)Add user to your client company accountBefore performing this action, please refer to Additional 4 Get Access Token for user account firstly to get Access Token for admin user of client account.The Add User API request:API Endpoint:POST https://api.securedsigning.com/web/v1.4/Account/AddUser Headers:please refer to Additional 1 Understand Secured Signing API Authentication.Body in JSON format (required properties only, please refer to Additional 6 Full User object details.):{ "User":{ "FirstName":"", "LastName":"", "Email":"" }, "GMT":0 } Response in text, which is a key for this user account:{ "ConnectKey":"074187010044040123...228195165045067246133", "Result":"OK" } Use this key to get access token for this user account when performing action on its behalf. It can only be used once. Please refer to Additional 4 Get Access Token for user account to know how to get and refresh the access token.Additional 1: Understand Secured Signing API AuthenticationThe API Authentication consists of two parts: OAuth2 and Signature.They make the API request safe and controllable, which benefits you and your clients.OAuth2By authenticated with OAuth 2, you are able to call all API functions on behalf of your clients’ staff and themselves.OAuth endpoints are the URLs you use to make OAuth authentication requests to Secured Signing.You need to use the correct Secured Signing OAuth endpoint when issuing authentication requests in your application. The primary OAuth endpoints are:For authorization: https://www.securedsigning.com/api/oauth2/authorizeFor token requests: https://www.securedsigning.com/api/oauth2/tokenFor revoking OAuth tokens: https://www.securedsigning.com/api/oauth2/revokeAll endpoints require secure HTTP (HTTPS). Each OAuth flow defines which endpoints you need to use and what request data you need to provide.If you’re verifying authentication on a sandbox organization, use “www.dsx.co.nz” instead of “www.securedsigning.com” in all the OAuth endpoints listed above.API SignatureAPI signature provides more safety for each API request, used as a stateless authentication with HMAC SHA-256.All requests to resources (excluding the schema pages) must be accompanied by the correct Authentication headers as per this specification.Secured Signing custom headersX-CUSTOM-API-KEY: This is your API Key.X-CUSTOM-SIGNATURE: This is a HMAC SHA-256 hash of a string of properties outlined below using your API Secret.X-CUSTOM-DATE: This is a Unix timestamp of the time you made the request. We allow a slight buffer on this in case of any time sync issues.X-CUSTOM-NONCE: A randomly generated string of your choice. Ensure it is unique to each request, and no more than 32 characters long.HTTP standard headersReferer: The address where the request originated. Please specify the Callback URL.Authorization: The OAuth2 access token with token type “Bearer”, i.e. “Bearer [access token]”The signature header value to be hashed is created using the following properties ApiKey, time stamp and nonce as show belowApiKey\n timestamp\n nonce Please use ‘\n’ as shown above.After the string is created above, it is hashed using HMAC SHA-256 using your API Secret. It must be Base64 string encoded before adding it to the header.e.g. In JavaScript (We are using Googles CryptoJS library for the hashing and Base64 encoding)var hash = CryptoJS.HmacSHA256(apiKey + '\n' + timestamp + '\n' + nonce, apiSecretKey); var hashInBase64 = CryptoJS.enc.Base64.stringify(hash); API Request HeadersSo for each API request, you need to set following headersKeyValueContent-Typeapplication/jsonX-CUSTOM-API-KEY[Your API Key]X-CUSTOM-DATE[Unix timestamp of the time you made the request]X-CUSTOM-NONCE[A randomly generated unique string]X-CUSTOM-SIGNATURE[Authorization signature]Referer[Your Callback URL]AuthorizationBearer [Access Token]Additional 2: Get Access Token for partner accountAs we can see, enterprise account has more power than client and user account. For safety, you need to get access token every time you call API on behalf of enterprise account.Please tell Secured Signing what clients you have or discuss with use what you need, so that we can enable the right features for you.For this special API, please set OAuth2 Token Request body as blow:KeyValuegrant_typeclient_credentialsclient_id[Your API Key]client_secre[Your API Secret]redirect_uri[Your Callback URL]client_credential_typespecial_featurefeatureMembershipManagement (For Type A company account)AccountManagement (For Type B company account)Use POST method to send HTTP form format to OAuth2 Token Endpoint. The request would look like:POST https://www.securedsigning.com/api/oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&client_id=...&client_secret=...&redirect_uri=...&client_credential_type=special_feature&feature=MembershipManagement Get access token from response, which is in JSON format:{ "access_token":"[Access Token]", "token_type":"bearer", "expires_in":86400, "scope":"Account" } Additional 3: Get Access Token for company accountAs we can see, client account has more power than user account. For safety, you need to get access token every time you call API on behalf of client account.For this special API, please set OAuth2 Token Request body as blow:KeyValuegrant_typeclient_credentialsclient_id[Your API Key]client_secre[Your API Secret]redirect_uri[Your Callback URL]client_credential_typemembership_authenticationmembership_code[MembershipCode]membership_reference[MembershipReference]Use POST method to send HTTP form format to OAuth2 Token Endpoint. The request would look like:POST https://www.securedsigning.com/api/oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&client_id=...&client_secret=...&redirect_uri=...&client_credential_type=membership_authentication&membership_code=...&membership_reference=... Get access token from response, which is in JSON format:{ "access_token":"[Access Token]", "token_type":"bearer", "expires_in":86400, "scope":"Account" } Additional 4: Get Access Token for user accountGet OAuth2 access token from existing user accountExisting user accounts means that users have already signed up in Secured Signing. They can also connet their user account to your service through a standard OAuth 2 authorization flow.Please set OAuth2 Authorise Request URL as blow:KeyValueresponse_typecodeclient_id[Your API Key]redirect_uri[Your Callback URL]scope[The things this account can do, e.g. Basic to get account details, WeSign to do We Sign process]See full list below.Supported scopes list:ScopeDescriptionBasicBasic Profile – Fetch information about your Secured Signing account, such as your price plan, account status etc.ISignI Sign – Sign documents as a sole Signatory.WeSignWe Sign – Invite other people to sign documents.SmartTagSmart Tag – Send documents with Smart Tags.FormDirectForm Direct – Fetch and send your online Form Direct forms.FormFillerForm Filler – Fill in online forms and sign.AccountAccount Management – Manage account settings.Use GET method to send to OAuth2 Authorise Endpoint. The request would look like:GET http://www.securedsigning.com/api/oauth2/authorize?response_type=code&client_id=...&redirect_uri=...&scope=... HTTP/1.1 User will be redirected to Secured Signing, they need to login and authorise and then redirect back to your service.Get authorization code from query part of callback URL[CallbackURL]?code=whx0...wHd5 Use this authorization code to access Secured Signing OAuth 2 Token endpoint to get access token.Please set OAuth2 Token Request URL as blow:KeyValuegrant_typeauthorization_codeclient_id[Your API Key]client_secret[Your API Secret]redirect_uri[Your Callback URL]code[Authorization Code]Use POST method to send request to OAuth2 Token Endpoint. The request would look like:POST http://www.securedsigning.com/api/oauth2/token HTTP/1.1 grant_type=authorization_code&client_id=...&client_secret=...&redirect_uri=...&code=... Get access token from response, which is in JSON format:{ "access_token":"", "token_type":"bearer", "expires_in":86400, "refresh_token":"", "scope":"" } Please save the new access token for this user to perform operations on its behalf.Get OAuth2 access token from new user accountPlease set OAuth2 Authorise Request URL as blow:KeyValueresponse_typecodeclient_id[Your API Key]redirect_uri[Your Callback URL]scope[The things this account can do, e.g. Basic to get account details, WeSign to do We Sign process]See full list above.key[The response of Adding account to membership API]Use GET method to send to OAuth2 Authorise Endpoint. The request would look like:GET http://www.securedsigning.com/api/oauth2/authorize?response_type=code&client_id=...&redirect_uri=...&scope=...&Key=... HTTP/1.1 This URL will have to do 302 redirects to get final response. So your HTTP client should support redirect.Get access token from response, which is in JSON format:{ "access_token":"", "token_type":"bearer", "expires_in":86400, "refresh_token":"", "scope":"" } Please save access and refresh token for this user to perform operation on its behalf.Refresh token for accountIf account’s access token expired, you can use its refresh token to get a new access token. It’s a standard OAuth2 refresh token process.Please set OAuth2 Token Request URL as blow:KeyValuegrant_typerefresh_tokenclient_id[Your API Key]client_secret[Your API Secret]redirect_uri[Your Callback URL]refresh_token[Refresh Token]Use POST method to send to OAuth2 Token Endpoint. The request would look like:POST http://www.securedsigning.com/api/oauth2/token HTTP/1.1 grant_type=refresh_token&client_id=...&client_secret=...&redirect_uri=...&refresh_token=... Get access token from response, which is in JSON format:{ "access_token":"", "token_type":"bearer", "expires_in":86400 } Please save the new access token for this user to perform operations on its behalf.Additional 5: Perform action on behalf of user accountWith access token of user account, you can call Secured Signing API, e.g. uploading document or sending Smart Tag. Please refer to API Documentation page for a full list of API Seucred Signing supported.Here’s a sample how to get a user account information from Secured Signing.The Account Infomation API request:API Endpoint:GET https://api.securedsigning.com/web/v1.4/Account/Info Headers:please refer to Additional 1 Understand Secured Signing API Authentication.Response in JSON format, which is infomation for this user account:{ "Actived":true, "Locked":false, "Email":"...", "Name":"...", "PlanName":"...", "PlanType":"...", "DocumentRemain":0, "DocumentUsed":8 } To call other API functions, set the headers and follow the API request format to fill data, then send request to get response.Additional 6: API object detailsCompany details"Company": { "CompanyName": "", "StreetAddress": "", "City": "", "Country": "", //full country name, such as New Zealand, United States, not nz or us. "CountryCode": "", //international phone code, such as 64 for New Zealand, 1 for United States. "PhoneNumber": "", "ContactFirstName": "", "ContactLastName": "", "ContactEmail": "", "GMTOffset": 0 //The timezone difference in minutes, such as 780 for New Zealand Lightsaving Time, -480 for Pacific Time. } User details"User":{ "FirstName":"", //required "LastName":"", //required "Email":"", //required "JobTitle":"", "CompanyName":"", "LegalName":"", "Website":"", "Industry":"", "Employees":"", "Street":"", "Suburb":"", "City":"", "Postcode":"", "Country":"", //full country name, such as New Zealand, United States, not nz or us. "State":"", "PhoneCountry":"", //international phone code, such as 64 for New Zealand, 1 for United States. "PhoneArea":"", "PhoneNumber":"", "Title":"" } Plan detailsThere’re 2 kinds of plan type for client (Type B) account:Pay as you Go: maximum users up to 10, pay as usage monthly.Team Edition: 1-5 users and 50, 75, 100, 150 or 200 documents to choose in initial setup, prepay monthly. Contact Secured Signing to get more options.Please refer to Plan Details to learn more."Plan":{ //can be null if client chooses Pay as you Go plan, maximum user up to 10. "PlanUsers":5, //maximum users can be added to this client account. "PlanDocuments":200 //maximum documents can be used per month for all user. },
Smart Tag API Documentation Welcome to the Secured Signing Smart Tag API Documentation. This guide is designed to assist you in utilizing the Secured Signing Smart Tag feature effectively and efficiently.Check out the links below for more information!About Our Smart Tag TechnologyHow to send Smart Tag document through APIAdvanced Usage 1: Send Smart Tag document with email templateAdvanced Usage 2: Send Embedded Smart Tag documentAdvanced Usage 3: Send Smart Tag document with invitee detailsAdvanced Usage 4: Send Smart Tag document with attachmentsAdvanced Usage 5: Send Smart Tag document with callback service Secured Signing Smart Tag GuideSecured Signing’s Smart Tag technology automates document creation and streamlines the invitation and signing process to enhance faster document turnaround and better user experience.Smart Tag technology enables the addition of a signature placeholder during the document formation process that includes:Signatory’s details: full name, email addressPersonalized textAbility to define signature type: full or initialOption to choose the sequential order of signersSmart Tag further unique characteristics:Smart Tag can be used with MS Word, and PDF document file formats.Smart Tag supports fill-in fields’ option that enables the simple addition of a Field Tag on a document that has to be completed by both invitee and signatory.For increased security, an SMS can be sent to the invitee as a two-factor authentication function for document access or to complete the signing process.Smart Tag Workflow supports the ability to identify a specific workflow name, and to initiate its application from the Secured Signing system. (Workflow initiation involves additional setup fee costs).Download Sample Smart TagDownload Smart Tag GuideHow to Send Smart Tag Document through APIPrerequisiteBefore use Smart Tag API, you may already know:What is Smart Tag and how to create a document with Smart Tags (Secured Signing Smart Tag Guide);Understanding Secured Signing API (Developer Page);Getting access token from user authorization (API Authentication);Uploading document through API (Upload Document API);So, you shall have:ACCESS TOKENDOCUMENT REFERENCE: reference to the Smart Tag document with signer details inside after uploaded.in your hand.Basic UsageHere’s a sample how to send Smart Tag through API.The Send Smart Tag API request:API Endpoint:POST https://api.securedsigning.com/web/v1.4/SmartTag/Send Headers:please refer to API Authentication.Request in JSON format, which is:{ "DocumentReferences": [ "DOCUMENT REFERENCE" ], "DueDate": "2023-01-06" } Response in JSON format, which is infomation for the sent invitation of Smart Tag document:[ { "Name": "", //document name "Reference": "", //document reference "FileType": "", //Word or PDF file "Signers": [ { "SignerReference": "", //Signer reference "FirstName": "", //Signer's firstname "LastName": "", //Signer's lastname "Email": "" //Signer's email address } ], "Status": "", //document status "DueDate": "Date", //signing due date } ] Easy, isn’t it?Advanced Usage 1: Send Smart Tag document with email templateEmail TemplatePlease login to Secured Signing, navigate to My Account / My Email Templates to setup your email template first.Get invitation template through API EmailTemplate/EmailTemplateRequestThe Get Invitation Email Template API:API Endpoint:Get https://api.securedsigning.com/web/v1.4/EmailTemplate/GetInvitationTemplates Headers:please refer to API Authentication.Response in JSON format, which is list of email template details:[ { "Reference": "167...172", "Name": "template 1", "Subject": "Please Sign ...", "Template": "Hi,<br/><p>[!Invitation.SecuredSigningText]</p>" }, { "Reference": "167...031", "Name": "template 2", "Subject": "Please Sign ...", "Template": "Hi,<br/><p>[!Invitation.SecuredSigningText]</p>" } ] Choose the template you want to send with and get TEMPLATE REFERENCE.Send Smart Tag document with email templateSet [Template Reference] to “EmailTemplateReference” property in Send Smart Tag API request:{ "DocumentReferences": [ "DOCUMENT REFERENCE" ], "DueDate": "2023-01-06", "EmailTemplateReference":"TEMPLATE REFERENCE" } The response is same as above.Send Smart Tag document with one-off templatePlease refer to Advanced Usage 3 to see how to setup invitee details.Set properties related email template for User object in Send Smart Tag API request for each invitee:{ "DocumentReferences": [ "DOCUMENT REFERENCE" ], "DueDate": "2023-01-06", "Signers": [ { "FirstName": "", "LastName": "", "Email": "", "IsPersonalMessage":true, "InvitationText":"please sign", "EmailSubject":"Please sign" } ] } Some rules here:IsPersonalMessage: If it’s true, InvitationText will be used as personal message and it only works with the default Secured Signing template; i.e. leave EmailTemplateReference empty.InvitationText: If IsPersonalMessage is false or empty, it will be used as whole email template text. It’s HTML text, so you can use HTML tags. Please try to setup email template on web portal and use the Get Invitation Email Template API to download templates to see how it would looks like.Please make sure that email template must include:[!Invitation.SecuredSigningText]It will be replaced by Secured Signing Service with signing link, signing code, download button, etc.Settings for an invitee will override EmailTemplateReference setting, leave InvitationText or EmailSubject empty to use default one.The response is same as above.Advanced Usage 2: Send Embedded Smart Tag documentSend embedded smart tag documentIn some situation, you may want to embed signing page on your website/client. Embedded signing will be what you want.Set [Embedded] to “true” in Send Smart Tag API request:{ "DocumentReferences": [ "DOCUMENT REFERENCE" ], "DueDate": "2023-01-06", "Embedded":true } Response in JSON format, there’s a new property called SigningKey returned in Signer object:[ { "Name": "", //document name "Reference": "", //document reference "FileType": "", //Word or PDF file "Signers": [ { "SignerReference": "", //Signer reference "FirstName": "", //Signer's firstname "LastName": "", //Signer's lastname "Email": "" //Signer's email address "SigningKey":"112...5093" //SigningKey to use in embedded signing } ], "Status": "", //document status "DueDate": "Date", //signing due date } ] Secured Signing will not send an invitation email for embedded signing, instead of giving you the SigningKey to use in an embedded page by yourself.Embedded SigningYou may need Secured Signing UI SDK to complete embedding signing, refer to UI SDK in developer page for more details.Here’s a sample html page with how to do embedded signing inside. You can use your API Key and Secret, and put SigningKey inside, host it in your website and have a look how it works.Embedded Signing SampleAdvanced Usage 3: Send Smart Tag document with invitee detailsYou can also just have Smart Tag like[!Sign.1.F]in the document for just locating the signature position but without any invitee details, then populate the details when sending smart tag document through API. This is useful if you use the document as template or you’re not able to modify the document everytime.Set details to “Signers” array property in Send Smart Tag API request:{ "DocumentReferences": [ "DOCUMENT REFERENCE" ], "DueDate": "2023-01-06", "Signers": [ { "FirstName": "", "LastName": "", "Email": "", "MobileCountry": "", //optional, if smart tag with SMS "MobileNumber": "" //optional, if smart tag with SMS } ] } The response is same as above.If you have two or more signers in your document, the order of signers is related as index of Signers array. e.g. Signers[0] in API request will be applied to smart tag [Sign.1] in document.Advanced Usage 4: Send Smart Tag document with attachmentsSmart Tag API supports attachments now, it’s only in API.The attachments will be sent with the invitation email without extra cost. They can be some documents invitees need to read but not need to sign.Let’s begin. Firstly, get {AttachmentReference} by Uploading attachment through API (Upload Attachment API);Upload more attachment if you need, record all attachment references.Set details to “Signers” array property in Send Smart Tag API request:{ "DocumentReferences": [ "DOCUMENT REFERENCE" ], "DueDate": "2023-01-06", "Signers": [ { "Attachments":[ "{AttachmentReference1}", "{AttachmentReference2}" ] } ] } The response is same as above.If you have two or more signers in your document, the order of signers is related as index of Signers array. e.g. Signers[0] in API request will be applied to smart tag [Sign.1] in document. You can set differenct attachment for each signer.Advanced Usage 5: Send Smart Tag document with callback serviceSmart Tag API supports set callback URL, it’s only in API.The callback URL will be called each time the document status changed.Let’s begin. Firstly, enable Callback in your API Key.Secondly, set your callback URL to “NotifyUrl” property in Send Smart Tag API request:{ "DocumentReferences": [ "DOCUMENT REFERENCE" ], "DueDate": "2023-01-06", "NotifyUrl":"[CallbackURL]" ] } The HTTP request we will call your callback URL is as followingsRequest Url: Your callback URLRequest Method: PostContent-Type: application/x-www-form-urlencodedBody: Status=0 of 1 Signed&Doc=048237….2201121&Ref=0FFB1350….2A74F1&Event=ExtendThe body contains 4 parts:Status: current status of the documentDoc: the reference of the document, same as the reference you got after upload and send through APIRef : the client reference you passed when uploading document, optionalEvent: the notify event, possible values: Complete, Extend, Decline, Expired
Secured Signing API Without OAuth 2 Getting StartedAuthenticationClient & UI SDKDocumentation * For Partner API, please click here.* For API With OAuth 2 version, please click here.Getting StartedAdd an API Account by logging in to your accountNavigate to My Account > My Settings > API SettingsAdd an API key using the button a the top. This will generate an API account, with configurable settings for your connection.* It is important to specify a domain from where the API requests come.Using the APIThe API is Rest based, and can be found at DocumentationResponse CodesThe following response codes apply to all requests. Check each request type in the list below for more response codes specific to that request.StatusCodeMeaning200OKThe request was processed successfully401UnauthorizedAuthentication failed or the Authenticate header was not provided404Not FoundThe URI does not match any of the recognised resourcesResponse and Request Data FormatsSupported Request FormatsUse the Content-Type header to specify the format your data is in.JSON: application/jsonMultipart Form Data: multipart/form-dataSupported Response FormatsUse the Accept header to specify the output desired format. If you can’t set that header, use the format parameter in the query string. The format parameter takes precedence over the Accept header.JSON: application/jsonGetting Started Walk-throughsGetting Started – FormDirectGetting Started – ISignGetting Started – WeSignSmart Tag API DocumentationPlease feel free to Contact Us for any questions or helpAuthenticationThe REST API uses stateless authentication using HMAC SHA-256.All requests to resources (excluding the schema pages) must be accompanied by the correct Authentication headers as per this specification.Authentication headersX-CUSTOM-API-KEY : This is your ApiKey which can be generated from “My Settings” in the Account pageX-CUSTOM-SIGNATURE : This is a HMAC SHA-256 hash of a string of properties outlined below using your api secret which is generated at the same time as your ApiKeyX-CUSTOM-DATE : This is a Unix timestamp of the time you made the request. We allow a slight buffer on this in case of any time sync issues.X-CUSTOM-NONCE : A randomly generated string of your choice. Ensure it is unique to each request, and no more than 32 characters long.* Referer :The address where the request originated. Please specify the domain you set in API Settings.The signature header value to be hashed is created using the following properties ApiKey, time stamp and nonce as show belowApiKey\n timestamp\n nonce Please use ‘\n’ as shown above.After the string is created above, it is hashed using HMAC SHA-256 using your API Secret. It must be Base64 string encoded before adding it to the header.e.g. In JavaScript (We are using Googles CryptoJS library for the hashing and Base64 encoding)var hash = CryptoJS.HmacSHA256(apiKey + '\n' + timestamp + '\n' + nonce, apiSecretKey); var hashInBase64 = CryptoJS.enc.Base64.stringify(hash); Our client SDK libraries perform these functions for you, as well as adding the headers automatically.Client & UI SDKThe client SDK provides an encapsulated library exposing simple to use methods that hide the complexity of integrating with our Rest API.* The provided SDKs’ codes are on Github. Fork me on GitHubJavaScriptWe also host the JavaScript version from our hosting.Please add the following script reference in the header section of your page<script data-main="//api.securedsigning.com/web/v1.4/client/scripts/main" src="//api.securedsigning.com/web/v1.4/client/scripts/require.js"></script>To initialise the JavaScript SDK libraryFirst create a config object as shown below var config = { "apiKey": <YOUR API KEY HERE>, "baseUrl": "//api.securedsigning.com/web", "version": "v1.4", "secret": <YOUR API SECRET HERE> }; Next initialise the library.We have provided a function SSApiLoaded that executes when the scripts have loaded if you are using our hosted JavaScript librariesfunction SSApiLoaded() { securedsigning = new SecuredSigning(config); }; An SDK method call normally takes 3 parametersrequestData: the data required for performing the taskonSuccess: Callback function to handle a successful requestonError: Callback function to handle any errorsAn examplesecuredsigning.sendSmartTagDocument(requestData, function (data) { console.log(data); },function (error) { console(error); }); .NETYou can view the source code on GitHub here.Install our .NET client SDKSecuredSigning.Client PM> Install-Package SecuredSigning.ClientThis library has the following dependencies ServiceStack.Client.Signed, ServiceStack.Text.Signed and ServiceStack.InterfacesTo initialise the library call the constructorvar client = new ServiceClient("https://api.securedsigning.com/web","v1.4", <YOUR API KEY HERE>, <YOUR API SECRET HERE>);We have provided data objects for the requests e.g. [Schema("EmailTemplate")] public class EmailTemplate { public string Reference { get; set; } public string Name { get; set; } } An example of a function callvar forms = client.getFormList();Other LanguagesWe have provided more client SDKs of different programing languages as well, with their source codes on GitHub.Java : JAR file GitHub RepositoryUI SDKThe UI SDK is provided as part of the JavaScript sdk. Please add the scripts as below<script data-main="//api.securedsigning.com/web/v1.4/client/scripts/main" src="//api.securedsigning.com/web/v1.4/client/scripts/require.js"></script>Initialising SDKTo initialise the JavaScript SDK libraryFirst create a config object as shown below var config = { "apiKey": <YOUR API KEY HERE>, "baseUrl": "//api.securedsigning.com/web", "version": "v1.4", "secret": <YOUR API SECRET HERE> }; Uploading a documentYou can use our uploader to add a document for signingUse the following JavaScript function passing in a DOM element id for the upload buttonThis then on Success starts an ISign or WeSign process securedsigning.CreateUpload(<DOM ELEMENT ID>, function(data) { ISign(data.Reference); //WeSign(data.Reference); },function (error) { alert(error); }); After a document is submitted, a reference will return.Embedding html resourcesI SignFor an I Sign signing resourceThis embeds a signing resource in a DOM element with the id of ‘content’function ISign(ref) { var request = { Email: "firstlastname@sample.com", FirstName: "firstname", LastName: "lastname", DocumentReference: ref }; securedsigning.getISignResource(request, "content", function (error) { }); } We SignFor an We Sign signing resourceThis embeds a signing resource in a DOM element with the id of ‘content’function WeSign(ref) { var request = { DocumentReference: ref }; securedsigning.getWeSignResource(request, "content", function (error) { }); } Download a sample webpage here.Documentation API Key: API Secret:
Secured Signing API With OAuth 2 Getting Started Authentication Client & UI SDK Documentation * For Partner API, please click here. * For API Without OAuth 2 version, please click here. Getting Started Add an API Account by logging in to your accountNavigate to My Account – > My Settings -> API SettingsAdd an API key using the button at the top. This will generate an API account, with configurable settings for your connection.* It is important to specify a name as well as a domain from where the API requests will come. Using the API The API is Rest based, and can be found at Documentation tab. Response Codes The following response codes apply to all requests. Check each request type in the list below for more response codes specific to that request. Status Code Meaning 200 OK The request was processed successfully 401 Unauthorized Authentication failed or the Authenticate header was not provided 404 Not Found The URI does not match any of the recognised resources Response and Request Data Formats Supported Request FormatsUse the Content-Type header to specify the format your data is in. JSON: application/json Multipart Form Data: multipart/form-data Supported Response FormatsUse the Accept header to specify the output desired format. If you can’t set that header, use the format parameter in the query string. The format parameter takes precedence over the Accept header. JSON: application/json Getting Started Walk-throughs Getting Started – FormDirect Getting Started – ISign Getting Started – WeSign Smart Tag API Documentation Please feel free to Contact Us for any questions or help Authentication The REST API uses stateless authentication using OAuth 2.0 with HMAC SHA-256. OAuth 2.0 By authenticated with OAuth 2.0, you are able to call all API functions on behalf of the authorized user. OAuth endpoints are the URLs you use to make OAuth authentication requests to Secured Signing. You need to use the correct Secured Signing OAuth endpoint when issuing authentication requests in your application. The primary OAuth endpoints are: For authorization: https://securedsigning.com/api/oauth2/authorize For token requests: https://securedsigning.com/api/oauth2/token For revoking OAuth tokens: https://securedsigning.com/api/oauth2/revoke All endpoints require secure HTTP (HTTPS). Each OAuth flow defines which endpoints you need to use and what request data you need to provide. OAuth 2.0 Authorization Code Flow (Web Server OAuth Authentication Flow) The authorization code flow is used by applications that are hosted on a secure server, e.g. web server. You can use code challenge and verifier values in the flow to prevent authorization code interception. In this flow, the client application requests the authorization server to redirect the user to Secured Signing that authorizes the user and sends the application an authorization code. The application uses the authorization code to request an access token. The following shows the steps for this flow. +----------+ | Secured | | Signing | | User | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | Web | | Secured | | Browser -+----(B)-- User authenticates --->| Signing | | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Your | & Redirection URI | | App | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token) The application redirects the user to Secured Signing authorization endpoint. The following parameters are required: Key Value response_type Required must be “code” client_id Required Your API Key redirect_uri Required Your Callback URL scope Required [The things this account can do, e.g. Basic to get account details, WeSign to do We Sign process]See full list below. state Optional any additional URL-encoded data to be returned in the callback URL after approval Supported scopes list, scope is case sensitive: Scope Description Basic Basic Profile – Fetch information about your Secured Signing account, such as your price plan, account status etc. ISign ISign – Sign documents as a sole Signatory. WeSign WeSign – Invite other people to sign documents. SmartTag Smart Tag – Send documents with Smart Tags. FormDirect Form Direct – Fetch and send your online Form Direct forms. FormFiller Form Filler – Fill in online forms and sign. Billing Billing Management – Manage account invoices and details. An example authorization request: https://securedsigning.com/api/oauth2/authorize?response_type=code&client_id=3MVG9lKc...9LLM82Hn&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback&state=mystate&scope=Basic%20SmartTag The user logs into Secured Signing. The user is interacting with the authorization endpoint directly, so the application never sees the user’s credentials. After successfully logging in, the user is asked to authorize the application. After Secured Signing confirms that the client application is authorized, the web browser is redirected to the callback URL specified by the redirect_uri parameter. Secured Signing appends authorization information to the redirect URL with the following values: Key Value code Authorization code state state value passed before An example authorization response: https://www.example.com/callback?code=aWek...fhc4w%3D%3D&state=mystate The application extracts the authorization code and passes it in a request to Secured Signing token endpoint for an access token. This request is a POST request. The following parameters are required: Key Value grant_type Required must be “authorization_code” client_id Required API Key client_secret Required API Secret redirect_uri Required Callback URL code Required Authorization Code An example access token POST request: POST https://securedsigning.com/api/oauth2/token HTTP/1.1 grant_type=authorization_code&code=aWek...fhc4w%3D%3D&client_id=33MVG9lKc...9LLM82Hn&client_secret=1955...41571&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback If this request is successful, the server returns a response body that contains the following: Key Value access_token Access Token refresh_token Refresh Token expires_in Access Token lifetime token_type Bearer scope authorized scopes An example access token POST response: { "expires_in":"86400", "refresh_token":"5Aep8614...yg==", "token_type":"Bearer", "scope":"Basic SmartTag", "access_token":"00Dx00...9JksNEkWUl" } The application uses the provided access token and refresh token to do action on behalf of the user. OAuth 2.0 Implicit Flow (User-Agent OAuth Authentication Flow) The OAuth 2.0 Implicit authentication flow is used by client applications (consumers) residing in the user’s device. This could be implemented in a browser using a scripting language such as JavaScript, or from a mobile device or a desktop application. These consumers cannot keep the client secret confidential. In this flow, the client application requests the authorization server to redirect the user to Secured Signing which is capable of extracting the access token and passing it back to the application. The following shows the steps for this flow. +----------+ | Secured | | Signing | | User | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI --->| | | Web | | Secured | | Browser -|----(B)-- User authenticates -->| Signing | | | | | | |<---(C)--- Redirection URI ----<| | | | with Access Token +---------------+ | | in Fragment | | +---------------+ | |----(D)--- Redirection URI ---->| Web-Hosted | | | without Fragment | Resource | | | | e.g. | | (F) |<---(E)------- Script ---------<| ISign/WeSign | | | +---------------+ +-|--------+ | | (A) (G) Access Token | | ^ v +---------+ | | | Your | | App | +---------+ The application redirects the user to Secured Signing authorization endpoint. The following parameters are required: Key Value response_type Required must be “token” client_id Required Your API Key redirect_uri Required Your Callback URL scope Required [The things this account can do, e.g. Basic to get account details, WeSign to do We Sign process]See full list below. state Optional any additional URL-encoded data to be returned in the callback URL after approval An example authorization request: https://securedsigning.com/api/oauth2/authorize?response_type=token&client_id=3MVG9lKc...9LLM82Hn&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback&state=mystate&scope=Basic%20SmartTag The user logs into Secured Signing. The user interacts with the authorization endpoint directly, so the application never sees the user’s credentials. Once authorization is granted, the authorization endpoint redirects the user to the redirect URL with following values: Key Value access_token Access Token expires_in Access Token lifetime token_type Bearer scope authorized scopes state state value passed before An example access token response: { "expires_in":"86400", "token_type":"Bearer", "scope":"Basic SmartTag", "access_token":"00Dx00...9JksNEkWUl" } The application uses the provided access token to do action on behalf of the user. OAuth 2.0 Refresh Token Flow The OAuth 2.0 Authorization Code Flow (Web Server OAuth Authentication Flow) provides a refresh token that can be used to obtain a new access token. Access tokens have a limited lifetime specified by the session timeout in Secured Signing. If an application uses an expired access token, a “Session expired or invalid” error is returned. The client application obtains a new access token by sending a POST request to the token request endpoint with the following request parameters: Key Value grant_type Required must be “refresh_token” client_id Required API Key client_secret Required API Secret refresh_token Required Refresh Token An example refresh token POST request: POST https://securedsigning.com/api/oauth2/token HTTP/1.1 grant_type=refresh_token&refresh_token=aWek...fhc4w%3D%3D&client_id=33MVG9lKc...9LLM82Hn&client_secret=1955...41571 Once Secured Signing verifies the refresh token request, it sends an access token response as above to the application. API Signature API signature provides more safety for each API request, used as a stateless authentication with HMAC SHA-256. All requests to resources (excluding the schema pages) must be accompanied by the correct Authentication headers as per this specification. Secured Signing custom headers X-CUSTOM-API-KEY : This is your ApiKey which can be generated from “My Settings” in the Account page X-CUSTOM-SIGNATURE : This is a HMAC SHA-256 hash of a string of properties outlined below using your api secret which is generated at the same time as your ApiKey X-CUSTOM-DATE : This is a Unix timestamp of the time you made the request. We allow a slight buffer on this in case of any time sync issues. X-CUSTOM-NONCE : A randomly generated string of your choice. Ensure it is unique to each request, and no more than 32 characters long. HTTP standard headers Referer: The address where the request originated. Please specify the Callback URL. Authorization: The OAuth2 access token with token type “Bearer”, i.e. “Bearer [access token]” The signature header value to be hashed is created using the following properties ApiKey, time stamp and nonce as show below ApiKey\n timestamp\n nonce Please use ‘\n’ as shown above. After the string is created above, it is hashed using HMAC SHA-256 using your API Secret. It must be Base64 string encoded before adding it to the header. e.g. In JavaScript (We are using Googles CryptoJS library for the hashing and Base64 encoding) var hash = CryptoJS.HmacSHA256(apiKey + '\n' + timestamp + '\n' + nonce, apiSecretKey); var hashInBase64 = CryptoJS.enc.Base64.stringify(hash); Our client SDK libraries perform these functions for you, as well as adding the headers automatically. Summary So for each API request, you need to set following headers Key Value Content-Type application/json X-CUSTOM-API-KEY [Your API Key] X-CUSTOM-DATE [Unix timestamp of the time you made the request] X-CUSTOM-NONCE [A randomly generated unique string] X-CUSTOM-SIGNATURE [Authorization signature] Referer [Your Callback URL] Authorization Bearer [Access Token] Client & UI SDK The client SDK provides an encapsulated library exposing simple to use methods that hide the complexity of integrating with our Rest API. * The provided SDKs’ codes are on Github. Fork me on GitHub JavaScript We also host the JavaScript version from our hosting. Please add the following script reference in the header section of your page <script data-main="https://securedsigning.com/web/v1.4/client/scripts/main" src="https://securedsigning.com/web/v1.4/client/scripts/require.js"></script> To initialise the JavaScript SDK library First create a config object as shown below var config = { "apiKey": <YOUR API KEY HERE>, "baseUrl": "https://securedsigning.com/web", "version": "v1.4", "secret": <YOUR API SECRET HERE>, "scope": <SCOPEs REQUIRED> }; Next initialise the library. We have provided a function SSApiLoaded that executes when the scripts have loaded if you are using our hosted JavaScript libraries function SSApiLoaded() { securedsigning = new SecuredSigning(config); }; Before any action, get OAuth2 access token using OAuth 2 Implicit flow. We have provided a function securedsigning.getAccessToken to help you to start the process. An SDK method call normally takes 3 parameters requestData: the data required for performing the task onSuccess: Callback function to handle a successful request onError: Callback function to handle any errors An example securedsigning.sendSmartTagDocument(smartTagData, function (result) { console.log(result); },function (error) { console(error); }); .NET You can view the source code on GitHub here. Install our .NET client SDK SecuredSigning.Client PM> Install-Package SecuredSigning.Client This library has the following dependencies Newtonsoft.Json, ServiceStack.Client.Signed, ServiceStack.Text.Signed and ServiceStack.Interfaces To initialise the library call the constructor var client = new ServiceClient("https://securedsigning.com/web","v1.4", <YOUR API KEY HERE>, <YOUR API SECRET HERE>, <YOUR CALLBACK URL HERE>); Before any action, get OAuth2 access token using OAuth 2 Authorization Code flow. We have provided a series of functions to help you to complete the OAuth 2 process. OAuth2.CreateAuthorizeRequest to generate the authorize request URL. OAuth2.HandleAuthorizeCallback to handle authorize callback from Secured Signing. OAuth2.GetToken to get access token. OAuth2.RefreshToken to refresh access token. OAuth2.RevokeToken to revoke access token. We have provided data objects for the requests e.g. [Schema("EmailTemplate")] public class EmailTemplate { public string Reference { get; set; } public string Name { get; set; } } An example of a function call var forms = client.getFormList(); Other Languages We have provided more client SDKs of different programing languages as well, with their source codes on GitHub. Java : JAR file GitHub Repository UI SDK The UI SDK is provided as part of the JavaScript sdk. Please add the scripts as below <script data-main="https://securedsigning.com/web/v1.4/client/scripts/main" src="https://securedsigning.com/web/v1.4/client/scripts/require.js"></script> Initialising SDK To initialise the JavaScript SDK library First create a config object as shown below var config = { "apiKey": <YOUR API KEY HERE>, "baseUrl": "//api.securedsigning.com/web", "version": "v1.4", "secret": <YOUR API SECRET HERE>, "scope": <SCOPEs REQUIRED> }; Get access token You can use our login control to start OAuth 2 process. Use the following JavaScript function passing in a DOM element id for the login button securedsigning.CreateLogin("login"); Uploading a document You can use our uploader to add a document for signing Use the following JavaScript function passing in a DOM element id for the upload button This then on Success starts an ISign or WeSign process securedsigning.CreateUpload(<DOM ELEMENT ID>, function(data) { ISign(data.Reference); //WeSign(data.Reference); },function (error) { alert(error); }); After a document is submitted, a reference will return. Embedding html resources I Sign For an I Sign signing process, the OAuth 2 scopes are “Basic” and “ISign”. This embeds a signing resource in a DOM element with the id of ‘content’. function ISign(ref) { var request = { DocumentReference: ref }; securedsigning.getISignResource(request, "content", function (error) { }); } We Sign For an We Sign signing process, the OAuth 2 scopes are “Basic” and “WeSign” This embeds a signing resource in a DOM element with the id of ‘content’. function WeSign(ref) { var request = { DocumentReference: ref }; securedsigning.getWeSignResource2(request, "content", function (error) { }); } The invitees details can be pre-configured when setting up the WeSign request function WeSign(ref) { var request = { DocumentReference: ref, //other options DisableBroadcast: false, SelectOnly: false, NotifyUrl:'', Invitees: [{ firstname: 'User1', //first name lastname: 'Test', //last name email: 'user1@sample.com' //email address }, { firstname: 'User2', lastname: 'Test', email: 'user2@sample.com' }] }; securedsigning.getWeSignResource2(request, "content", function (error) { }); } And fields from your system as well function WeSign(ref) { var request = { DocumentReference: ref, //other options DisableBroadcast: false, SelectOnly: false, NotifyUrl:'', Integration: { Name: 'Integration 1', //your integration name FieldGroups: [{ //your integration records/objects GroupID: "Account__Fields__a1", //record unique ID GroupIcon: "", //record icon GroupLabel: "Account Fields", //record label GroupName: "Account", //record name GroupRecordID: "a1", //record ID GroupRecordLabel: "Company A", //record display name Fields: [{ //record fields ControlType: 0, //field type, values see below FieldLabel: "Account Name", //field label FieldName: "Name", //field name FieldType: "STRING", //field type in your system FieldValue: "Company A" //field value }, { ControlType: 5, FieldLabel: "Account Type", FieldName: "Type", FieldType: "PICKLIST", FieldValue: "Technology Partner", Options: [ //field options, e.g. for dropdown list { Label: "Technology Partner", //option label Value: "Technology Partner" //option value }, { Label: "Other", Value: "Other" }] }] }, { GroupID: "Contact__Fields__b1", GroupIcon: "", GroupLabel: "Contact Fields", GroupName: "Contact ", GroupRecordID: "b1", GroupRecordLabel: "Peter Green", Fields: [{ ControlType: 0, FieldLabel: "Last Name", FieldName: "LastName", FieldType: "STRING", FieldValue: "Green" }, { ControlType: 0, FieldLabel: "First Name", FieldName: "FirstName", FieldType: "STRING", FieldValue: "Peter" }] }] } }; securedsigning.getWeSignResource2(request, "content", function (error) { }); } Supported Control types Text 0 Multi Line Text 1 Check Box 3 Radio Button 4 Dropdown List 5 Date 6 Email 7 Number 8 Multiple Select Dropdown List 9 Phone 15 Integer 16 Download a sample webpage here. Documentation API Key: API Secret: Get Access Token