Source Group
Published in

Source Group

Photo from Unsplash

Technical electronic signature implementation

Understand the electronic signature protocols

Seeing as the subject requires strong legal expertise, we will try to make it as accessible as I can, and we are only going to tackle the fundamentals.

What is an electronic signature?

An electronic signature (or e-signature) is a legal way to get consent or approval of electronic documents. It can replace a handwritten signature in any process. Security is frequently split into three levels: simple, advanced, and qualified.

Simple

The simple electronic signature has a low level of security. With that, we don’t have any real evidence as to who the signer really was. We don’t have the mandatory technical feature, but it is recommended to have a phone number validator. It works for simple contracts: insurance, opening bank account, employment contract, lease contract, etc.

Advanced

This type of electronic signature has legal validity (example regulate in EU by eIDAS; ETSI) with a much higher level of security. It must validate the identity of the signer. For this reason, our technical implementation will need to validate both the identity and the phone number. This level of security is mandatory for complex contracts: sales agreements, credit contracts, life insurance, etc.

Qualified

The qualified electronic signature offers a better level of security, it is the strictest and most complex of the three. Moreover, it is considered, all across the EU, as the legal equivalent of a handwritten signature. It uses the same criteria of the advanced electronic signature, plus an in-real-life identity validation. The user will be provided with a hardware device (such as a USB key, with a token on it) in order to validate their identity during the signing process. As this process can get pretty complex, I highly recommend reaching out to signing services (YouSign, SignEasy, DocuSign, and so on) in order to get more information.

Technical approach

You will find many services providing electronic signing, with different prices, contract authorization, and more. But, in the online documentation of service you will often find this signature workflow:

E-signature workflow
  • Contracts authorization EU only
  • Good customer service
  • Contracts authorization Worldwide
  • Custom document Template is well-thought-out
  • Price: with a trial plan, then starting at 8$/month

Basic implementation with YouSign

Now, we will see how to implement a simple solution, using YouSign. If you want to learn more, I recommend looking at the very well-built documentation. The goal of this part is not to provide a deliverable at the end of the step, but more to explain to you the different steps of the electronic signature flow including a third-party service. Best practices can differ according to the API provider you choose, but in our case, we will do a basic implementation, using YouSign.

Upload file

POST {{API_URL}}/files
First, we need to upload the file, we would like our users to sign.
The content must be converted in base64 without the header in the body.
(remove header: data:application/pdf;base64)

Parameters: POST /files

Create procedure

POST {{API_URL}}/procedures
This step allows you to link, the previously added document and the information of the signer.

Parameters: POST /procedures
  • a “start” boolean set to true
  • a “fileObjects”, with the file’s id in it
  • potential extra mentions
  • position of the signature (in my example, on page 1, positioned at “57,50,155,100”)

Sign document with SMS

Now, we are on the signatory side and we want them to validate (sign) our document. This is a mandatory step that needs to be done using a mobile phone. So, we need to send an SMS, with the following request, from which you will need to save the authentication id (from the response):

Parameters: POST /operations
Parameters: PUT /authentications/sms/{{AUTHENTIFICATION_ID}}
  • draft: The signing process has not started, so no one can sign it. But it is possible to edit the procedure.
  • active: Members can sign the document.
  • finished: All members have finished sign the document.
  • expired: You can set an expiration date in the expiresAt field. After this date, members can't sign it anymore.
  • refused: At least, one of the members decided to refuse the procedure.

Thanks

Voilà, to summarize before going into the code, please determine your level of electronic signature and whether the provider’s API meets the need for your context of use.

--

--

Source is a tech company that provide value through design solutions, technical expertise and financial support. https://source.paris

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store