Document Signing API Guide for Developers

Document signing APIs let developers add legally binding digital signatures to PDF documents without building the cryptographic infrastructure themselves. Whether you're generating contracts, compliance documents, invoices, or certificates, a signing API turns a manual process into a programmable one.

This guide covers the fundamentals of document signing APIs, explains the difference between electronic and digital signatures, and walks you through integrating the PDFSignify API into a real application.

What Is a Document Signing API?

A document signing API is a web service that accepts a document (typically a PDF) and applies a cryptographic digital signature to it. The signed document can then be verified by any PDF reader — the signature proves the document hasn't been tampered with since it was signed, and it identifies who signed it.

There are two broad categories of signing APIs. Workflow-based platforms (like DocuSign or Adobe Sign) manage the entire signing ceremony: sending emails to signers, tracking who has viewed and signed, storing documents, and firing webhooks. Certificate-based signing APIs, on the other hand, focus purely on the cryptographic operation: you provide a PDF and a digital certificate, and the API applies the signature and returns the signed document.

Key Concepts in Certificate-Based Signing

Digital Certificates (.pfx / .p12)

A digital certificate is a file that contains a private key and a public certificate chain. The most common formats are .pfx (PKCS#12) and .p12 — they're the same format with different extensions. You can purchase certificates from certificate authorities (CAs) like DigiCert, GlobalSign, or Comodo, or you can generate self-signed certificates for internal use.

Certificate Passwords

Every .pfx/.p12 file is encrypted with a password that protects the private key inside. When using a signing API, you must provide this password alongside the certificate file so the API can access the private key and create the signature.

Signature Appearance

A digital signature has two parts: the invisible cryptographic data embedded in the PDF, and the optional visible stamp that appears on the page. Most signing APIs let you control where the visible signature appears, its size, the message it displays, and even a background image like a company logo or a handwritten signature.

PDF Metadata

PDFs carry metadata fields like author, title, subject, keywords, creator, and dates. A good signing API lets you set or update these fields alongside the signing operation, which is important for compliance, archiving, and document management systems.

How PDFSignify Works

PDFSignify is a certificate-based signing API. It's fully synchronous: you send a request with your PDF and certificate, and you get the signed PDF back in the response. There are no stored documents, no signer emails, no webhooks, and no workflow states. The API has three endpoints:

• POST /api/v1/sign-pdf — Sign a PDF with a digital certificate. Returns the signed PDF as binary data.
• POST /api/v1/set-pdf-metadata — Update PDF metadata fields (author, title, keywords, etc.). Returns the updated PDF.
• POST /api/v1/check-certificate-password — Validate that a certificate file and password are correct. Returns JSON.

Authentication is simple: every request requires an AccessKey and SecretKey header. No Bearer tokens, no OAuth, no session management.

Authentication

After creating an account at pdfsignify.com, you'll receive an AccessKey and a SecretKey from your dashboard. Include both as HTTP headers on every request:

curl -X POST https://api.pdfsignify.com/api/v1/sign-pdf \
  -H "AccessKey: YOUR_ACCESS_KEY" \
  -H "SecretKey: YOUR_SECRET_KEY" \
  -F "[email protected]" \
  -F "certificatePassword=your_cert_password" \
  -F "[email protected]" \
  --output signed.pdf

Signing a PDF: Complete Example

The sign-pdf endpoint is the core of the API. It accepts multipart/form-data with three required fields: your digital certificate, the certificate password, and the PDF to sign. Here's a complete Node.js example:

import axios from "axios";
import * as fs from "fs";
import FormData from "form-data";

const formData = new FormData();
formData.append("certificate", fs.readFileSync("certificate.pfx"), {
  filename: "certificate.pfx",
  contentType: "application/x-pkcs12"
});
formData.append("certificatePassword", "your_cert_password");
formData.append("pdf", fs.readFileSync("contract.pdf"), {
  filename: "contract.pdf",
  contentType: "application/pdf"
});

const response = await axios.post(
  "https://api.pdfsignify.com/api/v1/sign-pdf",
  formData,
  {
    headers: {
      ...formData.getHeaders(),
      "AccessKey": "YOUR_ACCESS_KEY",
      "SecretKey": "YOUR_SECRET_KEY"
    },
    responseType: "arraybuffer"
  }
);

fs.writeFileSync("contract-signed.pdf", response.data);
console.log("Document signed successfully.");

Customizing the Signature

You can control every aspect of how the visible signature appears on the PDF. All customization fields are optional — append them to the same multipart form alongside the required fields.

• signatureMessage — Text displayed in the signature block (e.g., "Signed by Legal Department")
• signatureBackgroundImage — An image file (PNG, JPEG) used as the signature background, such as a logo or handwritten signature
• signaturePageAppearance — Which page(s) show the signature. Use -1 to display on all pages
• signatureXPosition / signatureYPosition — Coordinates for the signature placement on the page
• signatureWidth / signatureHeight — Dimensions of the signature block in points
• signatureDateLabel — Label shown before the date in the signature
• signatureDateFormat — Date format string (e.g., "Y-m-d H:i:s")
• timezone — Timezone for the signature timestamp (e.g., "Europe/London", "America/New_York")

formData.append("signatureMessage", "Approved by Legal Department");
formData.append("signatureBackgroundImage", fs.readFileSync("signature.png"), {
  filename: "signature.png",
  contentType: "image/png"
});
formData.append("signaturePageAppearance", "-1");
formData.append("signatureXPosition", "350");
formData.append("signatureYPosition", "50");
formData.append("signatureWidth", "200");
formData.append("signatureHeight", "80");
formData.append("signatureDateFormat", "Y-m-d H:i:s");
formData.append("timezone", "America/New_York");

Setting PDF Metadata

The set-pdf-metadata endpoint lets you update metadata fields on a PDF without signing it. This is useful for document management, compliance tagging, or preparing documents before they enter an archival system.

const formData = new FormData();
formData.append("pdf", fs.readFileSync("report.pdf"), {
  filename: "report.pdf",
  contentType: "application/pdf"
});
formData.append("pdfMetadataAuthor", "ACME Legal Team");
formData.append("pdfMetadataTitle", "Annual Compliance Report 2026");
formData.append("pdfMetadataSubject", "Regulatory Compliance");
formData.append("pdfMetadataKeywords", "compliance,legal,annual,2026");

const response = await axios.post(
  "https://api.pdfsignify.com/api/v1/set-pdf-metadata",
  formData,
  {
    headers: {
      ...formData.getHeaders(),
      "AccessKey": "YOUR_ACCESS_KEY",
      "SecretKey": "YOUR_SECRET_KEY"
    },
    responseType: "arraybuffer"
  }
);

fs.writeFileSync("report-tagged.pdf", response.data);

Validating Certificates Before Signing

If your application lets users upload their own certificates, you'll want to validate the certificate and password before attempting to sign a batch of documents. The check-certificate-password endpoint does exactly this — it returns a JSON response indicating whether the credentials are valid.

const formData = new FormData();
formData.append("certificate", fs.readFileSync("certificate.pfx"), {
  filename: "certificate.pfx",
  contentType: "application/x-pkcs12"
});
formData.append("certificatePassword", "your_cert_password");

const response = await axios.post(
  "https://api.pdfsignify.com/api/v1/check-certificate-password",
  formData,
  {
    headers: {
      ...formData.getHeaders(),
      "AccessKey": "YOUR_ACCESS_KEY",
      "SecretKey": "YOUR_SECRET_KEY"
    }
  }
);

if (response.data.success) {
  console.log("Certificate is valid. Ready to sign.");
} else {
  console.log("Invalid certificate or password.");
}

When to Use a Certificate-Based Signing API

Certificate-based signing APIs like PDFSignify are ideal when you need cryptographic proof that a document hasn't been altered. Common use cases include:

• Automated contract generation and signing in SaaS platforms
• Compliance documents that require tamper-evident seals
• Invoice and purchase order signing in ERP integrations
• Government and regulatory document submissions
• CI/CD pipelines that generate and sign release documents
• Internal document approval systems where your server signs on behalf of the organization

Security Best Practices

• Never expose your AccessKey, SecretKey, or certificate password in client-side code
• Store certificates in encrypted secret stores (AWS Secrets Manager, HashiCorp Vault, etc.)
• Use environment variables for API credentials in your deployment pipelines
• Validate certificates with the check-certificate-password endpoint before batch operations
• Use HTTPS for all API calls (the PDFSignify API enforces this)

Summary

Document signing APIs remove the manual overhead from applying digital signatures to PDFs. PDFSignify takes this a step further by keeping the API fully synchronous and stateless — there are no documents to manage, no signer emails to send, and no webhook callbacks to handle. You send a PDF and a certificate, and you get a signed PDF back. It's the simplest way to add real cryptographic document signing to your application.

A good signing API should feel like a function call: input a PDF and a certificate, output a signed PDF. That's exactly what PDFSignify does.