SDK

Low-Code

Workflow

DWS API

Sign a PDF via Document Engine using JavaScript

In this section, you’ll sign using the existing signing service configured for your Document Engine instance.

Approval and certification signatures

PDF documents mainly support two types of digital signatures: approval signatures, and certification signatures. Approval signatures are used to indicate that a signer agrees with or acknowledges the contents of a document. A single document can contain multiple approval signatures. Meanwhile, certification signatures restrict the kind of changes that can be applied to a document once it’s signed. A PDF document only allows one certification signature. Nutrient provides support for approval signatures. For certification signatures, contact Support.

The remainder of this guide will cover signing a PDF with an approval signature.

Prerequisites

To work with digital signatures in Document Engine, configure Document Engine with the external signing service that handles the actual cryptography. To learn about digital signatures architecture in Document Engine, refer to the documentation.

Signing documents managed by Document Engine

If you’re using Web SDK to sign documents managed by Document Engine, perform signing using the signDocument method:

instance.signDocument(
  {
    signingData: {
      signatureType: PSPDFKit.SignatureType.CAdES,
      padesLevel: PSPDFKit.PAdESLevel.b_lt
    }
  },
  {
    signingToken: "<optional signing token passed to signing service>"
  }
);

The remainder of this guide will cover signing documents opened in Web SDK in standalone mode via the digital signatures API provided by Document Engine.

Signing client-side documents via Document Engine

When using Nutrient Web SDK in standalone mode, you’re responsible for handling cryptographic operations manually. This can be a complex and error-prone process, especially when working with digital signatures. To streamline this, Nutrient provides a convenient alternative: leveraging the signing capabilities of our document management backend, Document Engine. By offloading the signing process to Document Engine, you’ll simplify your integration without compromising security or control.

This approach is ideal if you’re already using Document Engine for document management or document processing, as you can reuse your existing infrastructure to handle digital signatures. Security and privacy of your documents is guaranteed, as the document itself remains secure and private in your client’s session; only the document hash and signature properties are transmitted to the Document Engine. This ensures your sensitive content is never exposed during the signing process, keeping it safe and compliant with data privacy regulations.

Key benefits of signing via Document Engine include:

  • Leverage existing infrastructure — If Document Engine is part of your existing backend architecture, you can seamlessly integrate its signing functionality into your Web SDK deployments.

  • Delegated signing — Rather than managing cryptographic keys and processes in the client environment, you can delegate these operations to the backend, allowing for a more streamlined and secure experience.

  • Document privacy — Your document remains on the client side throughout the process. Only the document hash and necessary signature metadata are shared with the backend for signing, ensuring end-to-end document privacy.

How to sign a document using Document Engine API

If you’d like to use Document Engine to sign documents via the Web SDK, follow the steps outlined below.

1. Authorize clients with a backend signing service

To enable signing operations via Document Engine, authenticate your client requests using a JSON Web Token (JWT). This JWT should include the necessary claims, as outlined in our JWT authorization reference.

For example, a JWT with the following claims enables the use of Document Engine’s digital signatures API from the origin example.com:

{
  "allowed_operations": ["digital_signatures_api"],
  "allowed_origins": ["example.com"],
  ...rest_of_jwt_claims
}

2. Pass the JWT to the signing method

To perform the signing via Document Engine, pass the JWT from the previous step to the signDocument method of Web SDK running in standalone mode. You’ll also need to pass in the URL of your Document Engine instance (serverUrl), and you can optionally pass in the signingToken that will be passed to your Document Engine’s signing service:

instance.signDocument({
  signingData: {
    signatureType: PSPDFKit.SignatureType.CAdES,
    padesLevel: PSPDFKit.PAdESLevel.b_lt
  }
},
{
  jwt: "<access token>",
  serverUrl: "<url of document engine instance>"
  signingToken: "<optional signing token passed to signing service>"
})

4. Signing process

Once the signing method is called, the Web SDK takes care of the entire signing process:

  1. The document is prepared for signing, based on the parameters provided in the signDocument method.

  2. A hash of the document and signature properties — such as signing type, timestamping, and Long-Term Validation (LTV) settings — is generated and sent to the backend service.

  3. Document Engine performs the signing using the document hash and signature properties. If specified in the parameters, it also handles timestamping and LTV operations.

  4. Finally, the signed signature parameters are returned to the Web SDK, which embeds them into the prepared document, finalizing the signing process.

This process keeps your documents secure, maintains full privacy, and eliminates the need for clients to manage private keys, reducing the risk of handling cryptographic material in the client environment.