Full flow PAdES API and implementation guide.
Overview
- Merchant request an access token with the
signdoc/read_write
scope (i.e. client credentials grant) to be used in request to the SignDoc resource server. - Merchant creates and uploads the sign order by sending a request to the SignDoc resource server and receives a reference, i.e.
sign_id
. The signing transaction is initiated by adding the
sign
scope and thesign_id
reference as query parameters to the authorization request.- End user performs the signing using the BankID web client (netcentric).
- Merchant downloads the signing result from the SignDoc resource server.
Sign order expiration time
The sign order will expire in 90 seconds after it is created if user signing is not initiated (i.e. request to authorization endpoint).
The timeout for the sign order when user is signing is determined by the timeoutSeconds (default 1800 seconds) specified when the order was uploaded.
After the user has signed the order, the sign order will be valid for another 90 seconds before it expires.
Sequence diagram
Granting access to the SignDoc resource server
Requests to the SignDoc resource server requires an access token with the signdoc/read_write
scope.
The access token can be retrieved using the client credentials grant. See Access Tokens for more details.
Upload sign order to SignDoc resource server
POST [signdoc-baseurl]/signdoc/pades
Request
Headers
Key | Value |
---|---|
Authorization | Bearer |
Content-Type | application/json |
Request body
Key | Type / Description | Example JSON | ||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
signProperties (required) | JSON object:
| "signProperties": { | ||||||||||||||||||||||||||||||||||||||||||||||||
padesSignProperties | JSON object:
| "padesSignProperties": { | ||||||||||||||||||||||||||||||||||||||||||||||||
documents | JSON array of documents to be signed (minimum one). The document to be signed is represented as a JSON object:
| "documents": [ "description": "My document", | ||||||||||||||||||||||||||||||||||||||||||||||||
resultContent (required) | JSON array of string. Must contain at either "padesSignedPdf" or "padesAppendix" or both. The string values will determine the content result when retrieving a completed sign order later:
See result specifiers in the PAdES section in Scopes and claims for details. | ["padesSignedPdf", "padesAppendix", "documentHash"] |
Response
Content-Type: application/json
Code | Description | Example JSON response content |
---|---|---|
201 Created | Successfully uploaded PAdES sign order | { |
400 Bad request | Could not create order due to error in request. See the "errors"-array in the response for details. | { |
403 Forbidden | Access token is invalid. | AccessToken is invalid - Please provide reference: AbcDEf if reporting the problem. |
Example request
POST [signdoc-baseurl]/signdoc/pades { "signProperties": { |
Check status of sign order
GET [signdoc-baseurl]/signdoc/pades
Request
Headers
Key | Value |
---|---|
Authorization | Bearer access_token |
Query parameters
Parameter | Type | Description |
---|---|---|
sign_id | string | The sign_id that was return when uploading the signing order. |
Response
Code | Description | Example JSON response content |
---|---|---|
200 OK | Sign order was found. Returns the order state. Possible values are:
| { |
204 No Content | Sign order was not found. This could be caused by timeout or an invalid sign_id. | (empty) |
400 Bad Request | The query parameter sign_id was not provided. | signId can not be empty - Please provide reference: AbcDEf if reporting the problem. |
403 Forbidden | Access token is invalid or missing. | AccessToken is invalid - Please provide reference: AbcDEf if reporting the problem. |
Example request
GET [signdoc-baseurl]/signdoc/pades?sign_id=4120de56-4391-4e5a-adea-a28e62daac7e |
Delete sign order and download signing results
DELETE [signdoc-baseurl]/signdoc/pades
The sign order will be deleted if this request is made, regardless of sign order state.
Request
Headers
Key | Value |
---|---|
Authorization | Bearer access_token |
Query parameters
Parameter | Type | Description |
---|---|---|
sign_id | string | The sign_id that was return when uploading the signing order. |
Response
Code | Description | Example JSON response content |
---|---|---|
200 OK | Sign order was found. If order is not completed, i.e. order state is not "SIGN_COMPLETED", the signing results will be an empty array. | { |
204 No Content | Sign order was not found. This could be caused by timeout or an invalid sign_id. | (empty) |
400 Bad Request | The query parameter sign_id was not provided. | signId can not be empty - Please provide reference: AbcDEf if reporting the problem. |
403 Forbidden | Access token is invalid or missing. | AccessToken is invalid - Please provide reference: AbcDEf if reporting the problem. |
Example request
DELETE [signdoc-baseurl]/signdoc/pades?sign_id=4120de56-4391-4e5a-adea-a28e62daac7e |
Multiple end user signatures in the same envelope
Multiple end user signatures in the same envelope is supported through serial signing. In serial signing, the order of the signatories matters because any signatures that already exists in the document are part of the data that is signed over. The output from one signing session is used as input for the next. That means that the signed document is uploaded to the SignDoc resource server, the merchant receives a new sign_id
and initiates a new signing session with this sign_id
for the next end user to sign and then downloads the document with multiple end user signatures. For any signature sessions following the first, you would like to set endUserOnly
to true
for all documents when uploading the order to the SignDoc resource server to prevent multiple merchant signatures.