Documentation

Everything you need to sign documents and integrate with the SignerAuthority API.

Getting Started

SignerAuthority lets you create, sign, and verify documents with cryptographic proof. Here's how it works:

1. Create an account — Sign up with your email. We use magic link authentication (no passwords).
2. Create a document — Write or paste your content, add signers by name and email.
3. Signers receive an email — Each signer gets a unique, secure link. No account required to sign.
4. Everyone signs — Signers provide electronic consent and their signature (typed, drawn, or uploaded).
5. Document completes — Once all signers have signed, a cryptographically verified PDF is generated and all parties are notified.

Creating Documents

From the Create page, you can:

• Use the rich text editor to compose your document
• Upload PDF, DOCX, or Markdown files
• Add multiple signers with their name and email address

When you create a document, each signer receives an email with a unique signing link. The document creator is automatically added as a signer.

A SHA-256 hash of the document content is generated at creation time. This hash is used to verify that the document has not been tampered with after signing.

Signing Documents

Signers do not need an account. They click their unique link and:

1. Review the document content
2. Provide electronic consent by checking the consent checkbox
3. Add their signature using one of three methods:
   • Type — Type your name and select a font
   • Draw — Draw your signature with a mouse or touchscreen
   • Upload — Upload an image of your signature
4. Click "Sign Document"

Each signature is recorded with a timestamp, IP address, user agent, and HMAC-SHA256 cryptographic signature for tamper detection.

Document Lifecycle

Status	Description
pending	Document created, no signatures yet
partial	At least one signer has signed, others pending
completed	All signers have signed. PDF generated.

Dashboard

The Dashboard organizes your documents into three tabs:

• Needs Your Signature — Documents waiting for you to sign
• Waiting on Others — Documents you've signed (or created) where other signers are pending. You can resend invitation emails from here.
• Completed — Fully signed documents. Download the signed PDF or view the verification certificate.

Click any document title to open the detail modal with content preview, signer status, and full audit trail.

Audit Trails

Every action on a document is recorded in an immutable audit trail:

• created — Document created with content hash
• joined — Signer viewed the document
• signed — Signer applied their signature (includes HMAC hash)
• verified — Document integrity verified
• completed — All signatures collected, PDF generated
• asserted — MIR assertion created for the document

Each entry records the user, timestamp, IP address, and user agent.

Verification

Completed documents can be verified in two ways:

• On-platform — The verify button checks document integrity, content hash, and all signature HMACs.
• MIR Assertions — Every completed document is asserted to MIR Assertions with a cryptographic Ed25519 signature. Anyone can verify the document hash at mirassertions.org/verify/{hash}.

MIR Integration

SignerAuthority integrates with MIR (My Internet Reputation) in two ways:

MIR Assertions

Every completed document is automatically asserted to MIR Assertions with a cryptographic proof. This creates a permanent, verifiable record that the document existed and was signed.

MIR Participation History

Optionally link your account to MIR from the Account page to build cross-platform reputation. Signing events are recorded (using only your opaque user ID — no personal information is shared).

API Reference

The SignerAuthority REST API lets you create, sign, and verify documents programmatically.

Base URL: https://signerauthority.com/api/v1

Authentication

All API requests (except public PDF/certificate downloads) require an API key sent in the Authorization header:

Authorization: Bearer sa_your_api_key_here

Manage your API keys from the Account page or via the API:

Method	Endpoint	Description
POST	/api/v1/keys	Create a new API key (session auth required)
GET	/api/v1/keys	List your API keys
DELETE	/api/v1/keys/:id	Revoke an API key

Create API Key

curl -X POST https://signerauthority.com/api/v1/keys \
  -H "Content-Type: application/json" \
  -b "session_cookie" \
  -d '{"name": "My App"}'

The full key is returned only once. Store it securely.

Envelopes

Method	Endpoint	Description
POST	/api/v1/envelopes	Create an envelope
GET	/api/v1/envelopes	List envelopes
GET	/api/v1/envelopes/:id	Get envelope details

Create Envelope

curl -X POST https://signerauthority.com/api/v1/envelopes \
  -H "Authorization: Bearer sa_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Service Agreement",
    "content": "<p>Agreement content here...</p>",
    "signers": [
      {"id": "signer-1", "name": "Alice Smith", "email": "alice@example.com"},
      {"id": "signer-2", "name": "Bob Jones", "email": "bob@example.com"}
    ]
  }'

List Envelopes

curl https://signerauthority.com/api/v1/envelopes?status=completed&limit=10&offset=0 \
  -H "Authorization: Bearer sa_your_key"

Query params: status (pending, partial, completed), limit (1–100, default 25), offset (default 0).

Signing

curl -X POST https://signerauthority.com/api/v1/envelopes/:id/sign \
  -H "Authorization: Bearer sa_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "signerId": "signer-1",
    "signatureData": "Alice Smith",
    "signatureType": "typed",
    "consentVersion": "1.0",
    "consentedAt": "2026-02-22T12:00:00Z"
  }'

Field	Required	Description
signerId	Yes	The signer's ID (from envelope creation)
signatureData	Yes	Typed name, drawn canvas data URL, or uploaded image data URL
signatureType	No	typed (default), drawn, or image
consentVersion	Yes	Version of consent text the signer agreed to
consentedAt	No	ISO 8601 timestamp of consent

Verification

curl -X POST https://signerauthority.com/api/v1/envelopes/:id/verify \
  -H "Authorization: Bearer sa_your_key"

Returns content hash verification, individual signature HMAC checks, and overall integrity status.

Re-assert to MIR

curl -X POST https://signerauthority.com/api/v1/envelopes/:id/reassert \
  -H "Authorization: Bearer sa_your_key"

Re-triggers MIR assertion for a completed envelope. Returns the assertion ID.

PDF & Certificate Download

These endpoints are public (no API key required). The envelope ID serves as the access token.

Method	Endpoint	Description
GET	/api/v1/envelopes/:id/pdf	Download signed PDF
GET	/api/v1/envelopes/:id/certificate	Download signing certificate

Append ?download=1 to force a file download instead of inline display.

Audit Trail

curl https://signerauthority.com/api/v1/envelopes/:id/audit \
  -H "Authorization: Bearer sa_your_key"

Returns the full audit trail with action, user, timestamp, IP address, and signature hashes.

Webhooks

Register webhook URLs to receive real-time notifications when document events occur.

Available Events

Event	Fired When
document.created	A new envelope is created
document.signed	A signer signs the document
document.completed	All signers have signed
document.verified	Document integrity is verified

Register a Webhook

curl -X POST https://signerauthority.com/api/v1/webhooks \
  -H "Authorization: Bearer sa_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://yourapp.com/webhooks/signer",
    "events": ["document.completed", "document.signed"]
  }'

The webhook secret is returned only once. Use it to verify webhook signatures.

Manage Webhooks

Method	Endpoint	Description
GET	/api/v1/webhooks	List webhooks
GET	/api/v1/webhooks/:id	Get webhook details
PATCH	/api/v1/webhooks/:id	Update webhook (url, events, active)
DELETE	/api/v1/webhooks/:id	Delete webhook
GET	/api/v1/webhooks/:id/logs	View delivery logs

Errors

All errors follow a consistent format:

{
  "error": {
    "type": "invalid_request_error",
    "message": "Title is required.",
    "param": "title"
  }
}

Type	HTTP Status	Meaning
authentication_error	401	Missing or invalid API key
invalid_request_error	400	Invalid parameters
not_found_error	404	Resource not found
rate_limit_error	429	Too many requests
api_error	500	Internal server error