GetSignedBeta
Request beta
Product · eSign API

eSign API

Upload a PDF, place fields, send signing links, receive a PKCS#7-sealed document. OAuth2 auth, HMAC-signed webhooks, OTP identity verification — all in a REST API. Free tier, no credit card, live in hours.

Get free API keys →View API docs →
eSign API — create, send, download in 3 calls
# 1. Authenticate
TOKEN=$(curl -s -X POST https://api.getsigned.app/oauth/token \
  -d grant_type=client_credentials \
  -d client_id=$CLIENT_ID \
  -d client_secret=$CLIENT_SECRET \
  | jq -r .access_token)

# 2. Create envelope — upload PDF + declare signers + place fields
ENV=$(curl -s -X POST https://api.getsigned.app/v1/envelopes \
  -H "Authorization: Bearer $TOKEN" \
  -F "document=@contract.pdf;type=application/pdf" \
  -F 'signers=[{"name":"Jordan","email":"jordan@co.io"}]' \
  -F 'fields=[{"type":"signature","page":1,"x":300,"y":580,"w":200,"h":60}]' \
  | jq -r .id)

# 3. Send — Jordan gets a tokenized signing link by email
curl -X POST https://api.getsigned.app/v1/envelopes/$ENV/send \
  -H "Authorization: Bearer $TOKEN"

# When Jordan signs → envelope.completed webhook fires:
# GET /v1/envelopes/$ENV/document → sealed PDF ready to download

API endpoints

POST/oauth/tokenGet a bearer token using client credentials.
POST/v1/envelopesCreate an envelope — upload PDF, declare signers, place fields.
POST/v1/envelopes/{id}/sendDispatch signing links to all signers.
GET/v1/envelopes/{id}Check envelope status and retrieve audit metadata.
GET/v1/envelopes/{id}/documentDownload the PKCS#7-sealed completed PDF.
POST/v1/webhooksRegister a webhook URL to receive signing events.

All routes are versioned under /v1/. See the full API docs for request/response schemas.

What the eSign API includes

OAuth2 client credentials

Standard OAuth2 flow — exchange your client ID and secret for a bearer token. Token is valid for 3600 seconds. No API-key strings, no session management.

Any PDF, any device

Upload any standard PDF. Signers receive an email link and sign on any browser — desktop, tablet, or mobile. No app install required.

Sequential and parallel routing

Control signing order with routing_order. Same value = parallel (all sign at once). Incrementing values = sequential (next signer gets their link only after previous completes).

OTP identity verification

Every signer verifies their identity with an email or SMS one-time code before they can access the document. The verification is recorded in the audit log.

PKCS#7 digital seal

Every completed document is sealed with a CA-issued digital signature before the webhook fires. Any byte-level modification after sealing is detectable in any PDF reader.

HMAC-signed webhooks

GetSigned signs every webhook POST with HMAC-SHA256. Verify the X-GetSigned-Signature header before processing to ensure the event is authentic.

Frequently asked questions

What is an eSign API?

An eSign API (electronic signature API) is a web service that lets your application send documents for signature, collect legally binding e-signatures from one or more signers, and return a tamper-evident sealed document — all without building the signing infrastructure yourself. GetSigned's eSign API is REST-based: you authenticate with OAuth2, upload a PDF with signer and field details, call /send, and receive the sealed document via webhook when signing completes.

How is an eSign API different from an e-signature service like DocuSign?

An e-signature service like DocuSign is a standalone product with its own UI, user accounts, and dashboards — designed for business users to send documents manually. An eSign API is designed for developers to embed signing into their own application — no user needs to log into a separate service. GetSigned is API-first: your application sends the API calls, signers interact with a hosted signing page (branded with your name), and your backend receives webhook events. There is no separate UI for senders to manage.

What authentication method does the eSign API use?

OAuth2 client credentials flow. Your application authenticates with a client_id and client_secret, receives a bearer token valid for 3600 seconds, and includes it in the Authorization header of every request. Tokens should be cached and refreshed before expiry — not requested on every call. Client credentials are issued per application (one set per integration), not per user.

How long does it take to integrate an eSign API?

Most developers have their first signed document in 2–4 hours. The minimal integration is three calls: POST /v1/envelopes (create), POST /v1/envelopes/{id}/send (send), and a webhook endpoint to receive envelope.completed. A full production integration with error handling, retry logic, and status UI typically takes one to two days.

Is there a free tier for the eSign API?

Yes. The free tier includes 25 envelopes per month with full API access: OAuth2 authentication, PKCS#7 sealing, hash-chained audit trails, webhooks, and OTP identity verification. No credit card required. The free tier is permanent — not a trial. When your volume exceeds 25 envelopes per month, upgrade to the Growth tier which is usage-based.

Related: What is an e-signature API? · Integration guide · Webhook guide · Pricing

Get your first signed document today

Free tier — 25 envelopes per month. Full API access, no credit card.

Get free API keys →