Development Guide CSC API
Introduction
The SIGN8 API can be used to sign hashes and documents. The Rest API functions are based on the Cloud Signature Consortium specifications v2.
As a trust service provider, we have implemented the Cloud Signature Consortium (CSC) API to offer a standardized, secure, and scalable solution for remote digital signatures. The CSC API enables seamless interoperability across platforms, ensuring compliance with regulations such as eIDAS. By adopting this specification, we provide users with a reliable and flexible signing experience without requiring local software, making digital transactions more secure and accessible.
General information
The documentation and the API may change in the future. Please make sure to work with the latest version.
For support you can contact: customerservice@sign8.eu
Please provide a detailed description of the problem. The description should include your client ID, your account ID, steps to reproduce, the error message, the expected behavior and the date and time of occurrence.
Disclaimer
Only the parameters and functions specified in the Info Endpoint are supported. By using the endpoints, you agree to the associated restrictions and there is no entitlement to additional functions.
Requirements
Key | Value |
Account_ID | Your signature application account ID |
Client_ID | Your signature application client ID |
Client_secret | Your signature application client secret |
Terms and definitions
- Signature application = client application or service calling the remote signing service provider to create a remote signature
HTTPS = secure transportation protocol
UUID = Universally Unique Identifier
Access token = credentials used to access protected resources. It’s a string representing an authorization issued to the client. The string is usually opaque to the client
Authentication factor = piece of information and/or process used to authenticate or verify the identity of an entity
Credential = cryptographic object and related data used to support remote digital signatures over the Internet. Consists of the combination of a public/private key pair and a X.509 public key certificate managed by a remote signing service provider on behalf of a user.
Digital signature = data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipient
Signature activation data = set of data used to control a given signature operation, performed by a cryptographic module, on behalf of the signer
Abbreviations
JWT: JSON Web Token
AdES: Advanced Electronic Signature
CaDES: CMS Advanced Electronic Signature
JaDES: JSON Advanced Electronic Signature
PaDES: PDF Advanced Electronic Signature
API: Application Programming Interface
SAD: Signature Activation Data
SAM: Signature Activation Module
SCAL1: Sole Control Assurance Level 1
SCAL2: Sole Control Assurance Level 2
Security
TLS
The REST API is accessed exclusively via a TLS-encrypted HTTPS connection (Port TCP/443). Following TLS Chipers / Suites are supported:
TLS v1.3: TLS_AES_256_GCM_SHA384 (0 x1302)
TLS v1.3: TLS_CHACHA20_POLY1305_SHA256 (0 x1303)
TLS v1.3: TLS_AES_128_GCM_SHA256 (0 x1301)
TLS v1.2: TLS_ECDHE_ECDSA_CHACHA20_POLY1305_SHA256 (0 xcca9)
TLS v1.2: TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (0 xc02c)
TLS v1.2: TLS_ECDHE_RSA_CHACHA20_POLY1305_SHA256 (0 xcca8)
TLS v1.2: TLS_ECDHE_RSA_AES_256_GCM_SHA384 (0 xc030)
OAuth2 Authorization
account_token = base64UrlEncode(<JWT_Header>) + "." + \ base64UrlEncode(<JWT_Payload>) + "." + \ base64UrlEncode(<JWT_Signature>) <JWT_Header> = { "typ":"JWT", "alg":"HS256" }JWT_Payload:
<JWT_Payload> = { "sub": <Account_ID>, //Account ID "iat": <Unix_Epoch_Time>, //Issued At Time "jti": <Token_Unique_Identifier>, //JWT ID "iss": <Signature_Application_Name>, //Issuer "azp": <OAuth2_client_id> //Authorized presenter }JWT_Signature:
<JWT_Signature> = HMACSHA256( base64UrlEncode(<JWT_Header>) + "." + base64UrlEncode(<JWT_Payload>), SHA256(<client_secret>) )Parameters
Parameter |
| Value | Name |
typ | Required | String | The Header Parameter used to indicate that this object is a JSON Web Token (JWT) |
alg | Required | String | The Header Parameter used to indicate that the algorithm of the signature of the JWT is HMAC using SHA-256 |
sub | Required | String | The Account ID of the signature provider |
iat | Required | Number | The Unix Epoch time when the account_token was issued |
jti | Required | String | A unique identifier |
iss | Optional | String | Commercial name of the signature application |
azp | Required | String | ClientID from the signature application |
Please notice: the client_secret needs to be used as SHA256 hashed value!
Base URI
OAuth2-Server
Staging | |
Productive |
Rest-API
Staging | |
Productive |
Respective mentioned as {{ API_URL }}
Supported Signature Qualifiers
We support the following signature qualifiers:
Qualifier | Description |
eu_eidas_aes | Advanced signature |
eu_eidas_qes | Qualified signature |
eu_eidas_aeseal | Advanced seal |
eu_eidas_qeseal | Qualified seal |
Supported Hash Algorithms
We support the following hash algorithms:
hashAlgorithm | hashAlgorithmOID |
sha256 | 2.16.840.1.101.3.4.2.1 |
sha384 | 2.16.840.1.101.3.4.2.2 |
sha512 | 2.16.840.1.101.3.4.2.3 |
Please notice: the length of the received signatures depends on the length of the signing key, not on the provided hash!Further documentation
OAuth2-Server: Swagger Documentation
Rest API: Swagger Documentation
Postman Documentation
Flows
documentation. There are several other ways to use this documentation. For further information please also see the Postman documentation (s. Further documentation)
Classic CSC-Flow
Endpoint Description
In the classic CSC flow following endpoints needs to be used:
Authorize Service Request
In this step the signatory needs to be redirected to the SIGN8 OAuth2 server in a popup or the browser. Example for oauth2/authorize (service authorization):
GET oauth2/authorize?client_id=<clientID>& code_challenge=y_vuu0F6yittkyDa8…& scope=service&code_challenge_method=S256& response_type=code&redirect_uri=<OAuth_redirect_uri>Access Token Service Request
Afterwards the SignatureApplication needs to request a service access token with oauth2/token (described in Access Token Request) to access the API functions.
The redirect_uri parameter needs to match the previous passed value in oauth2/authorize! Also, the code_verifier needs to match the code_challenge parameter previous passed. Example for oauth2/token:
POST /oauth2/token Content-Type: application/x-www-form-urlencoded { “grant_type”: “authorization_code”, “code”: “LJ7f5T42dnQG…”, “client_id”: <clientID>, “client_secret”: <client_secret>, “redirect_uri”: <OAuth_redirect_uri>, “code_verifier”: “xRi-wG0SWvURh…” } Get Credentials List
In your SignatureApplication, you have the option of listing all credentials available for a signatory to determine in advance which credential should be used.
This step is optional and not necessary for the signature creation to be successful! We do not recommend selecting a specific credential.
Example for credentials/list:
POST /csc/v2/credentials/list Authorization: Bearer eyJhbGciOiJIUz… Content-Type: application/json { "credentialInfo": true, "certificates": "chain", "certInfo": true, "authInfo": true, "onlyValid": true } Authorize Credential Request
To be able to request a signature, the signer must authorise the use of his credentials; this is done via a new oauth2/authorize (described in Authorize Request) request with scope credential. For this request, the signer must be redirected to the SIGN8 OAuth2 server again and identify/ authenticate themselves.
Attention: In this request the hashes need to be base64URL-encoded!Example for oauth2/authorize (service authorization):
GET oauth2/authorize?response_type=code&client_id=<clientID>& redirect_uri=<OAuth_redirect_uri>&scope=credential& code_challenge=y_vuu0F6yittkyDa8…&code_challenge_method=S256& signatureQualifier=eu_eidas_qes&numSignatures=1& hashes=hhhE1nBOhXP-w02WfiC8_...& hashAlgorithmOID=2.16.840.1.101.3.4.2.3 Access Token Credential Request
Afterwards the SignatureApplication needs to request a credential access token with oauth2/token (described in Access Token Request) to access the API functions.
Attention: The redirect_uri parameter needs to match the previous passed value in oauth2/authorize! Also, the code_verifier needs to match the code_challenge parameter previous passed.If the oauth2/authorise request was called with the signatureQualifier parameter, the response returns the credentialID that will be used in the signature process.
Example for oauth2/token:
POST /oauth2/token Content-Type: application/x-www-form-urlencoded { “grant_type”: “authorization_code”, “code”: “Jr86hfdsZ…”, “client_id”: <clientID>, “client_secret”: <client_secret>, “redirect_uri”: <OAuth_redirect_uri>, “code_verifier”: “xRi-wG0SWvURh…” } SignHash or SignDoc
Finally, the SignatureApplication can request a raw PKCS#1 signature via signatures/signHash (described in Sign Hash) with the previously created accessToken. If the SignatureApplication wants to create a CaDES, JaDES or PaDES signature, the signatures/signDoc endpoint should be used.
Example for signatures/signHash:
POST /csc/v2/signatures/signHash Authorization: Bearer eyJhbGciOiJIUzI1N…. Content-Type: application/json { "credentialID": "74e…", "hashes": ["hhhE1nBOhXP+w02WfiC8/…”], "hashAlgorithmOID": "2.16.840.1.101.3.4.2.3", "signAlgo": "1.2.840.113549.1.1.1", "clientData": "…", "operationMode": "S", "SAD": "eyJhbGci…" } Example for signatures/signDoc:
POST /csc/v2/signatures/signDoc Authorization: Bearer eyJhbGciOiJIUzI1N…. Content-Type: application/json { "SAD": "eyJhbGci…" "credentialID": "74e…", "operationMode": "S", "returnValidationInfo": true, "documentDigests": [ { "hashes": ["hhhE1nBOhXP+w02WfiC8/…”], "hashAlgorithmOID": "2.16.840.1.101.3.4.2.3", “signAlgo": "1.2.840.113549.1.1.1", "signature_format": "C", "conformance_level": "Ades-B-T", "signed_envelope_property": "Detached" }] } Attention: returnValidationInfo can be used to add the validation information to the signature container.Revoke Access Token
After a successful signature process, the SignatureApplication can revoke the access tokens to prevent misuse of the tokens. Both access tokens can only be used for one hour. The credential access token can only be used for the maximum number of signatures as previously defined in the numSignatures parameter in the oauth2/authorise request.
Example for oauth2/revoke:
POST /oauth2/revoke Authorization: Bearer eyJhbGciOiJIUzI1N… Content-Type: application/x-www-form-urlencoded { token: eyJhbGci…, token_type_hint: access_token, client_id: <client_id> client_secret: <client_secret>, clientData: … } Optimized Flow
The optimized flow uses just one credential authorization request.
We recommend using the optimized flow!
Endpoint Description
Authorize Credential Request
In the optimised flow the steps to authorise the SignatureApplication and the credential can be combined.
This is done via a oauth2/authorize (described in Authorize Request) request with scope credential. For this request, the signer must be redirected to the SIGN8 OAuth2 server and first register or login and afterwards identify/ authenticate themselves.
Attention: In this request the hashes need to be base64URL-encoded!Example for oauth2/authorize (service authorization):
GET oauth2/authorize?response_type=code&client_id=<clientID>& redirect_uri=<OAuth_redirect_uri>&scope=credential& code_challenge=y_vuu0F6yittkyDa8…&code_challenge_method=S256& signatureQualifier=eu_eidas_qes&numSignatures=1& hashes=hhhE1nBOhXP-w02WfiC8_...& hashAlgorithmOID=2.16.840.1.101.3.4.2.3 Attention: In this step the SignatureApplication can passes one specific credentialID, which should be used or the signatureQualifier. The signatureQualifier specifies, which kind of signature will be created. If the parameter CredentialID is used, the SignatureApplication needs to secure if the credential is valid and assigned to the signatory. Otherwise, the authorization will fail. Access Token Credential Request
Afterwards the SignatureApplication needs to request a credential access token with oauth2/token (described in Access Token Request) to access the API functions.
Attention: The redirect_uri parameter needs to match the previous passed value in oauth2/authorize! Also, the code_verifier needs to match the code_challenge parameter previous passed.If the oauth2/authorise request was called with the signatureQualifier parameter, the response returns the credentialID that will be used in the signature process.
Example for oauth2/token:
POST /oauth2/token Content-Type: application/x-www-form-urlencoded { “grant_type”: “authorization_code”, “code”: “Jr86hfdsZ…”, “client_id”: <clientID>, “client_secret”: <client_secret>, “redirect_uri”: <OAuth_redirect_uri>, “code_verifier”: “xRi-wG0SWvURh…” } Get Credential Info
Optional the SignatureApplication can request further information about the authorized credential with credentials/list (described in Access Token Request). This step can be skipped.
Example for credentials/info:
POST /csc/v2/credentials/info Authorization: Bearer eyJhbGci… Content-Type: application/json { "credentialID": "74e…", "certificates": "chain", "certInfo": true, "authInfo": false } SignHash or SignDoc
Finally, the SignatureApplication can request a raw PKCS#1 signature via signatures/signHash (described in Sign Hash) with the previously created accessToken. If the SignatureApplication wants to create a CaDES, JaDES or PaDES signature, the signatures/signDoc endpoint should be used.
Example for signatures/signHash:
POST /csc/v2/signatures/signHash Authorization: Bearer eyJhbGci…. Content-Type: application/json { "credentialID": "74e…", "hashes": ["hhhE1nBOhXP+w02WfiC8/…”], "hashAlgorithmOID": "2.16.840.1.101.3.4.2.3", "signAlgo": "1.2.840.113549.1.1.1", "clientData": "…", "operationMode": "A", } Example for signatures/signDoc:
POST /csc/v2/signatures/signDoc Authorization: Bearer eyJhbGci…. Content-Type: application/json { "credentialID": "74e…", "operationMode": "A", "returnValidationInfo": true, "documentDigests": [ { "hashes": ["hhhE1nBOhXP+w02WfiC8/…”], "hashAlgorithmOID": "2.16.840.1.101.3.4.2.3", “signAlgo": "1.2.840.113549.1.1.1", "signature_format": "C", "conformance_level": "Ades-B-T", "signed_envelope_property": "Detached" }] } Attention: returnValidationInfo can be used to add the validation information to the signature container.Sign Polling
If signatures/signHash or signatures/signDoc was called asynchronously (“A”) in operationMode, only a responseID is returned in the response of the signature request. To retrieve the signature object, the SignatureApplication must call signatures/signPolling (described in Sign Polling).
Example for signatures/signPolling:
POST /csc/v2/signatures/signPolling Authorization: Bearer eyJhbGci… Content-Type: application/json { "requestID": "8d19…" } Revoke Access Token
After a successful signature process, the SignatureApplication can revoke the access tokens to prevent misuse of the tokens. Both access tokens can only be used for one hour. The credential access token can only be used for the maximum number of signatures as previously defined in the numSignatures parameter in the oauth2/authorise request.
Example for oauth2/revoke:
POST /oauth2/revoke Authorization: Bearer eyJhbGciOiJIUzI1N… Content-Type: application/x-www-form-urlencoded { token: eyJhbGci…, token_type_hint: access_token, client_id: <client_id> client_secret: <client_secret>, clientData: … }
All Endpoints
Info
Returns information about the remote service and the list of the API methods it supports.
POST {{ API_URL }}/csc/v2/info
Code | Message | Cause |
|---|---|---|
200 | Success | Success |
{ "specs": <specs>, "name": <name>, "logo": <logoURI>, "region": <region>, "lang": <lang>, "description": <description>, "authType": <authType>, "oauth2": <OAut2BaseURI>, "methods": <methods>, "signature_formats": <signatureFormats> "conformance_levels": <conformanceLevels> } OAuth2
Authorize Request
This is the OAuth 2.0 authorization endpoint. This endpoint needs to be opened in a popup or via redirect.
Attention: the “hashes” needs to be base64 URL-encoded!Path
GET {{ OAUTH2_URL }}/oauth2/authorize? Parameter
Key |
| Value | Possible Values |
|---|---|---|---|
scope | Required | String | service, credential |
client_id | Required | String | {{ client_ID }} |
redirect_uri | Required | String | {{ redirect_uri }} |
code_challenge | Required | String | {{ code_challenge }} |
code_challenge_method | Optional | String | S256, S384, S512
default: S256 |
state | Optional | String | Random string |
account_token | Required | String | {{ JWT }} |
response_type | Required |
| code |
credentialID | Required
(if scope = credential) | String | {{ credentialID }} |
signatureQualifier | Optional
(if scope = credential) | String | {{ signatureQualifier }} |
numSignatures | Required
(if scope = credential) | String | 1 - x |
hashes | Required
(if scope = credential) | Array of Strings | {{ hashes }} |
hashAlgorithmOID | Required
(if scope = credential) | String | 2.16.840.1.101.3.4.2.1, 2.16.840.1.101.3.4.2.2, 2.16.840.1.101.3.4.2.3 |
description | Optional | String | Random string |
When no redirect_uri is passed, we use the first registered redirect URI as default.
Result
Code | Message | Cause |
|---|---|---|
302 | Found | Found |
500 | Error | Internal Server Error |
302 Found - Code
<redirect_uri>/code=…&state=123456
<redirect_uri>/error=invalid_request&error_description=<description>
Authorize with Authentication Certificate Request
This is the OAuth 2.0 authorization endpoint, which can be used for shadow sealing processes.
To use the endpoint, the seal owner first needs to request an authentication certificate in his OAuth2 user account (under 2FA settings).
Attention: the “hashes” needs to be base64 URL-encodedPath
POST {{ OAUTH2_URL }}/oauth2/authorize_tls?
TLS authentication is required for access to this endpoint. The client must send a valid TLS client certificate issued by SIGN8 and the corresponding key with every request. The connection is only accepted on the server side if the certificate is valid.
Parameter
Key |
| Value | Possible Values |
|---|---|---|---|
scope | Required | String | service, credential |
client_id | Required | String | {{ client_ID }} |
redirect_uri | Required | String | {{ redirect_uri }} |
code_challenge | Required | String | {{ code_challenge }} |
code_challenge_method | Optional | String | S256, S384, S512
default: S256 |
state | Optional | String | Random string |
account_token | Required | String | {{ JWT }} |
response_type | Required | String | code |
credentialID | Required
(if scope = credential) | String | {{ credentialID }} |
numSignatures | Required
(if scope = credential) | String | 1 - x |
hashes | Required
(if scope = credential) | Array of Strings | {{ hashes }} |
hashAlgorithmOID | Required
(if scope = credential) | String | 2.16.840.1.101.3.4.2.1, 2.16.840.1.101.3.4.2.2, 2.16.840.1.101.3.4.2.3 |
description | Optional | String | Random string |
When no redirect_uri is passed, we use the first registered redirect URI as default.
Result
Code | Message | Cause |
|---|---|---|
200 | Ok | Ok |
400 | Error | Bad Request |
401 | Error | Unauthorized |
500 | Error | Internal Server Error |
{ “code”: {{ code }}, (“state”: {{ state }}) } Access Token Request
This is the OAuth2 token endpoint. It is used to obtain an OAuth 2.0 bearer access token from the authorization server by passing the authorization code or refresh token returned by the authorization server after a successful user authentication, along with the client ID and client secret.
Path
POST {{ OAUTH2_URL }}/oauth2/token
Key | Value |
|---|---|
Content-Type | application/x-www-form-urlencoded |
Key |
| Value | Possible Values |
|---|---|---|---|
grant_type | Required | String | authorization_code, refresh_token |
code | Required | String | {{ code }} |
client_id | Required | String | {{ client_ID }} |
client_secret | Optional | String | {{ client_secret }} |
redirect_uri | Required | String | {{ redirect_uri }} |
refresh_token | Optional | String | {{ refresh_token }} |
clientData | Optional | String | {{ clientData }} |
Code | Message | Cause |
|---|---|---|
200 | Ok | Ok |
400 | Error | Bad Request |
401 | Error | Unauthorized |
500 | Error | Internal Server Error |
200 Body
{ “access_token”: {{ access_token }} “token_type”: “Bearer”, “expires_in”: 3600, (“credentialID”: {{ credentialID }}) } Revoke Access Token
Revoke an access token or refresh token that was obtained from the authorization server. This method may be used to enforce the security of the remote service. When the signature application needs to terminate a session, it is recommended to invoke this method to prevent further access by reusing the token.
Path
POST {{ OAUTH2_URL }}/oauth2/revoke
Key | Value |
|---|---|
Authorization | Bearer {{service_access_token}} OR Bearer {{credential_access_token}} |
Content-Type | application/x-www-form-urlencoded |
Parameter
Key |
| Value | Possible Values |
|---|---|---|---|
token | Required | String | {{ access_token }} |
token_type_hint | Optional | String | access_token, refresh_token |
client_id | Required | String | {{ client_ID }} |
client_secret | Required | String | {{ client_secret }} |
clientData | Optional | String | {{ clientData }} |
Code | Message | Cause |
|---|---|---|
204 | Success | Ok |
400 | Error | Bad Request |
401 | Error | Unauthorized |
500 | Error | Internal Server Error |
Credentials Endpoints
Get Credentials List
Returns the list of credentials associated with a user identifier.
Path
POST {{ API_URL }}/csc/v2/credentials/list Header
Key | Value |
|---|---|
Authorization | Bearer {{service_access_token}} |
Content-Type | application/json |
Body
Key |
| Value | Possible Values |
|---|---|---|---|
credentialInfo | Required | Boolean | true, false |
certificates | Optional | String | “none”, “chain”, “single” |
certInfo | Optional | Boolean | true, false |
authInfo | Optional | Boolean | true, false |
onlyValid | Optional | Boolean | true, false |
clientData | Optional | String | {{ clientData }} |
Result
Code | Message | Cause |
|---|---|---|
200 | Ok | Ok |
400 | Error | Bad Request |
401 | Error | Unauthorized |
500 | Error | Internal Server Error |
200 Body
{ "credentialIDs": [ {{ credentialID1 }}, {{ credentialID2 }} ] "credentialInfos": [ { "credentialID": {{ credentialID1 }}, "key": { … }, "cert": { … }, "multisign": 1, "lang": {{ lang }} }, { … } ] } Get Credential Info
Retrieves the specified credential. If requested, it can also return the signing certificate, the whole associated certificate chain, additional information about the signing certificate and/or information about the authorization mechanism required to authorize access to the credential for remote signing.
Path
POST {{ API_URL }}/csc/v2/credentials/info
Header
Key | Value |
|---|---|
Authorization | Bearer {{credential_access_token}} |
Content-Type | application/json |
Body
Key |
| Value | Possible Values |
|---|---|---|---|
credentialID | Required | String | {{ credentialID }} |
certificates | Optional | String | „single“, „none“, „chain“ |
certInfo | Optional | Boolean | true, false |
authInfo | Optional | Boolean | true, false |
clientData | Optional | String | {{ clientData }} |
Result
Code | Message | Cause | |
|---|---|---|---|
200 | Ok | Ok |
|
400 | Error | Bad Request |
|
401 | Error | Unauthorized |
|
500 | Error | Internal Server Error |
|
200 Body
{ “key”: { … }, “cert”: { … }, “multisign”: 1, “lang”: {{ lang }} } Extend Transaction
Extends the authorization to a new hash. The hash needs to be base64 encoded.
Path
POST {{ API_URL }}/csc/v2/credentials/extendTransaction
Header
Key | Value |
Authorization | Bearer {{credential_access_token}} |
Content-Type | application/json |
Body
Key |
| Value | Possible Values |
credentialID | Required | String | {{ credentialID }} |
hashes | Required | Array of Strings | [ {{ hash1 }}, {{ hash2 }}, … ] |
hashAlgorithmOID | Required | String | 2.16.840.1.101.3.4.2.1, 2.16.840.1.101.3.4.2.2, 2.16.840.1.101.3.4.2.3 |
SAD | Required | String | {{ credential_access_token }} |
clientData | Optional | String | {{ clientData }} |
Result
Code | Message | Cause | |
200 | Ok | Ok |
|
400 | Error | Bad Request |
|
401 | Error | Unauthorized |
|
500 | Error | Internal Server Error |
|
200 Body
{ “SAD”: { … }, “expiresIn”: { … }, “clientData“: { … } } Sign Hash
Calculate the remote digital signature of one or multiple hash values provided in input.
This method requires service and credential authorization.
Attention: the hashes need to be equivalent to the hashes provided in the authorize or extendTransaction request!Path
POST {{ API_URL }} /csc/v2/signatures/signHash
Header
Key | Value |
|---|---|
Authorization | Bearer {{service_access_token}} OR Bearer {{credentials_access_token}} |
Content-Type | application/json |
Body
Key |
| Value | Possible Values |
|---|---|---|---|
credentialID | Required | String | {{ credentialID }} |
hashes | Required | Array of String | {{ hashes }} |
hashAlgorithmOID | Required | String | 2.16.840.1.101.3.4.2.1, 2.16.840.1.101.3.4.2.2, 2.16.840.1.101.3.4.2.3 |
signAlgo | Required | String | 1.2.840.113549.1.1.1 |
clientData | Optional | String | {{ clientData }} |
operationMode | Optional | String | “S”, “A” |
SAD | Required
(if service_access_token is used in the header) | String | {{ credential_access_token }} |
validity_period | Optional
(if operationMode = ‘A’) | Number | Between 6.000 and 600.000 |
response_uri | Optional
(if operationMode = ‘A’) | String | {{ response_uri }} |
Result
Code | Message | Cause |
|---|---|---|
200 | Success | Success |
400 | Error | Bad Request |
401 | Error | Unauthorized |
500 | Error | Internal Server Error |
200 Body
operationMode = “S”:
{ “signatures”: [ {{ signed_hash1 }}, {{ signed_hash2 }} ] } operationMode = “A”:
{ “responseID”: {{ UUID }} } How do I create the hash?
To create a Base64 URL-encoded string containing a hash generated by a SHA (Secure Hash Algorithm), follow these steps:
Generate a Hash:
Utilize a cryptographic hash function such as SHA-256 to create a unique and fixed-size hash value from the input data.
Encode the Hash in Base64:
Convert the generated hash into a Base64-encoded string. Base64 encoding is employed to represent binary data, like the hash, using a URL-safe and human-readable format. This hash will be used in the signature request!
URL Encode the Base64 String for authorize: Apply URL encoding to the Base64-encoded string. URL encoding replaces special characters with percentage-encoded equivalents, ensuring that the resulting string is safe for use in a URL without causing parsing issues.
Example for nodejs:
const crypto = require('crypto'); // Step 1: Generate a Hash (SHA-256) const inputData = 'YourDataToHash'; const hash = crypto.createHash('sha256').update(inputData).digest('hex'); // Step 2: Encode the Hash in Base64 const base64EncodedHash = Buffer.from(hash, 'hex').toString('base64'); // Step 3: URL Encode the Base64 String const urlEncodedHash = base64EncodedHash.replace(/-/g, '+') .replace(/_/g, '/') .replace(/%3D/g, '=');
Example for nodejs:
const crypto = require('crypto'); // Step 1: Generate a Hash (SHA-256) const inputData = 'YourDataToHash'; const hash = crypto.createHash('sha256').update(inputData).digest('hex'); // Step 2: Encode the Hash in Base64 const base64EncodedHash = Buffer.from(hash, 'hex').toString('base64'); // Step 3: URL Encode the Base64 String const urlEncodedHash = base64EncodedHash.replace(/-/g, '+') .replace(/_/g, '/') .replace(/%3D/g, '=');Sign Doc
Create one or more AdES signatures. This endpoint supports base64 encoded documents or hashes as input and can produce CaDES, PaDES or JaDES signatures with different conformance levels.
Path
POST {{ API_URL }} /csc/v2/signatures/signDoc
Key | Value |
|---|---|
Authorization | Bearer {{service_access_token}} OR Bearer {{credentials_access_token}} |
Content-Type | application/json |
Body
Key |
| Value | Possible Values |
|---|---|---|---|
credentialID | Required
(if NO signatureQualifier is provided) | String | {{ credentialID }} |
signatureQualifier | Required
(if NO credentialID is provided) | String | {{ signatureQualifier }} |
SAD | Required
(if service_access_token is in the header) | String | {{ credential_access_token }} |
documents | Required
(if NO documentDigests is provided) | Array (s. table) |
|
documentDigests | Required
(if NO documents is provided) | Array (s. table) |
|
operationMode | Optional | String | A, S |
validity_period | Optional
(if operationMode = ‚A‘) | Number | Between 6.000 and 600.000 |
response_uri | Optional
(if operationMode = ‚A‘) | String | {{ response_uri }} |
clientData | Optional | String | {{ clientData }} |
returnValidationInfo | Optional | Boolean | true |
The parameter documents OR documentDigests MUST be provided. ONLY ONE of both can be used in one request! documents array:
Key |
| Value | Possible Values |
|---|---|---|---|
document | Required | String | base64-encoded data |
signAlgo | Required | String | 1.2.840.113549.1.1.1 |
signature_format | Required | String | P, C, J |
conformance_level | Optional | String | Ades-B-B, Ades-B-LT, Ades-B-T |
signed_props | Optional | Dictionary | (s. table) |
Signed_envelope_property | Optional | String | Cades
Pades
Jades
|
documentDigests array:
Key |
| Value | Possible Values |
hashes | Required | Array of Strings | [ {{ hashes }} ] |
hashAlgorithmOID | Required | String | 2.16.840.1.101.3.4.2.1, 2.16.840.1.101.3.4.2.2, 2.16.840.1.101.3.4.2.3 |
signAlgo | Required | String | 1.2.840.113549.1.1.1 |
signature_format | Required | String | P, C, J |
conformance_level | Optional | String | Ades-B-B, Ades-B-LT, Ades-B-T |
signed_props | Optional | Dictionary | (s. table) |
Signed_envelope_property | Optional | String | Cades: Detached Pades: Revision Jades: Detached |
signed_props:
This dictionary can be used to specify the position of the signature field. If not specified, an invisible signature will be created.
attribute_name | attribute_value |
|---|---|
signatureField_position | [ left, bottom, width, height ] |
signatureField_page | 1 |
If “returnValidationInfo” is true, the response contains the OCSP response for the signing certificate used (1st entry in the array) & if the “conformance_level” was “Ades-B-T” or “Ades-B-LT”, the OCSP response for the timestamp (2nd entry in the array).
In addition, the response then contains the certificates used with their respective Trust Anchor.
Result
Code | Message | Cause |
|---|---|---|
200 | Success | Success |
400 | Error | Bad Request |
401 | Error | Unauthorized |
500 | Error | Internal Server Error |
200 Body
operationMode = “S” and documents:
{ “DocumentWithSignatures”: [ {{ signed_doc }} ] } operationMode = “S” and documentDigests:
{ “SignatureObject”: [ {{ signature_object }} ] } operationMode = “A”:
{ “responseID”: {{ UUID }} } Sign Polling
Sign Polling can be used to fetch the signatures after an asynchronous signature request. When the signature process is finished, it returns the signatures.
Path
POST {{ API_URL }} /csc/v2/signatures/signPollingKey | Value |
|---|---|
Authorization | Bearer {{credential_access_token}} |
Content-Type | application/x-www-form-urlencoded |
Body
Key |
| Value | Example |
|---|---|---|---|
requestID | Required | String | {{ requestID }} |
clientData | Optional | String | {{ clientData }} |
Result
Code | Message | Cause |
|---|---|---|
200 | Success | Ok |
400 | Error | Bad Request |
401 | Error | Unauthorized |
500 | Error | Internal Server Error |
200 Body
{ “signatures”: [ {{ signed_hash1 }}, {{ signed_hash2 }} ] } Do you need further support?
Related Articles
Workflow API
Introduction Welcome to the SIGN8 Workflow API! This guide is designed to help you integrate our Workflow API seamlessly into your system. The Workflow API provides core functionality for managing workflows within third-party systems and enables ...API Changelog
June 2025 New Features Breaking Changes Bug Fixing May 2025 New Features Breaking Changes CSC Update added account_token to authorize Added code_verifier to token creation Updated client creation added certificate management to oauth Bug Fixing April ...Integration for your system
Here you will find comprehensive information on our API solutions for digital signatures. As a leading provider, we offer two types of APIs that enable seamless integration and efficient workflows: Workflow API The Workflow API allows you to quickly ...