Features
Authentic Easy To Use Secure
Pricing
Docs
API CLI
Downloads
Sign up

PDF Signing API

At a high level, the signing process is:

  1. Create a CMS placeholder that will hold the CMS signature
  2. Compute the PDF’s SHA-256 digest, not including the bytes in the CMS placeholder (but including the ByteRange used to define it)
  3. Invoke this API to compute the CMS using the digest and the signing certificate
  4. Apply the CMS into the placeholder

This document covers step #3; the other steps are out of its scope. Please refer to Adobe’s Documentation for more details.

We recommend you use an existing library in your stack for the remaining steps, or simply use our CLI.

API: POST /api/v1/sign

Given a PDF digest and authentication, returns a CMS to embed in the PDF placeholder.

Request Headers

  • X-Authorization-Algorithm: Must be set to HmacSHA256.
  • X-Authorization-Time: Current ISO 8601 time; your clock must be accurate to within one minute of the correct time.
  • X-Authorization-Key: API key id; a UUID assigned by us
  • X-Authorization: Base64(Hmac-SHA256(API Key, (message + ISO 8601 time sent above)))

The X-Authorization header is computed by taking the SHA-256 of the message body (UTF-8 encoded), appending the current time in ISO-8601 format (YYYY-MM-DDTHH:MM:SS.000Z), and applying HMAC-SHA256 to it using your API Key. The resulting Hmac must be base64 encoded. The server will compute the same HMAC with its copy of your API key; if they match the request will proceed, any other condition will result in a HTTP 401 error.

Sample HTTP request

Given:

  • The current time is 2025-04-13T18:21:44.040Z
  • The API key ID is 9eacf1f6-7b34-4752-0e3c-0a96baf273aa
  • The API Key is (hex-encoded; you must use the raw bytes): c80dd3f9db3330aa5daae1b469613cce2212e2beba7882b08fcc80acedba4c43
  • The body of the message is { "digest": "wriYLGsKP7H91843t7svOIfoxxErUkJWdemTY1yQs1E=" }

Then the resulting HTTP request should be exactly this:

1
2
3
4
5
6
7
8

POST https://api.trusted-signatures.com/api/v1/sign 

X-Authorization-Algorithm: HmacSHA256
X-Authorization-Time: 2025-04-13T18:21:44.040Z
X-Authorization-Key: 9eacf1f6-7b34-4752-0e3c-0a96baf273aa
X-Authorization: npzzJHgnEnam5fpO/Dbt6YVBLE7HavpWGVv01ctWoP0=

{ "digest": "wriYLGsKP7H91843t7svOIfoxxErUkJWdemTY1yQs1E=" }

Request Body

The request body is a simple JSON object:

1
2
3
4

{
  "digestAlgorithm": "SHA256",
  "digest": "<base64-encoded SHA256 PDF digest>"
}

CMS Placeholder size

The CMS placeholder you create must be large enough to hold the CMS. Since the CMS placeholder must be inserted into the PDF before calculating the digest, and the size of the CMS is unknown prior to signing, we recommend you allocate 10KB (10,240 bytes) for your CMS placeholder.

The PDF Digest

The digest you send to us must be computed using the SHA-256 algorithm. Other algorithms will be supported in future versions of the API.

Response Body

The response body is also simple:

1
2
3

{ 
    "signature": "<base64-encoded CMS>"
}

Applying the CMS

The API returns the CMS that contains the signature. You must decode the CMS, encode it as hexadecimal and into the CMS placeholder you created, padding any remaining space with 00.

Want a green-check?

Trusted Signatures provides the fastest, most affordable, secure PDF signatures on the internet.

Get Started Free