SDK

Low-Code

Workflow

DWS API

Sign a PDF via DWS API using JavaScript

In this section, you’ll sign using certificates managed by Nutrient DWS API.

Approval and certification signatures

PDF documents mainly support two types of digital signatures: approval signatures, and certification signatures. Approval signatures are used to indicate that a signer agrees with or acknowledges the contents of a document. A single document can contain multiple approval signatures. Meanwhile, certification signatures restrict the kind of changes that can be applied to a document once it’s signed. A PDF document only allows one certification signature. Nutrient provides support for approval signatures. For certification signatures, contact Support.

The remainder of this guide covers signing a PDF with an approval signature.

Signing documents via DWS API with the Web SDK

When using Nutrient Web SDK in standalone mode, you’re responsible for handling cryptographic operations manually. This can be a complex and error-prone process, especially when working with digital signatures. To streamline this, Nutrient provides a convenient alternative: leveraging the signing capabilities of our processing API service, Nutrient DWS API. By offloading the signing process to DWS API, you’ll simplify your integration without compromising security or control.

This approach is ideal if you want effortless integration of digital signatures into your app. Security and privacy of your documents is guaranteed, as the documents themselves remain secure and private in your client’s session; only the document hash and signature properties are transmitted to the backend. This ensures your sensitive content is never exposed during the signing process, keeping it safe and compliant with data privacy regulations.

Key benefits of signing via DWS API include:

  • Effortless integration — Subscribe to DWS API to leverage its digital signatures capabilities.

  • Trusted eSignatures — DWS API provides a legally binding certificate that allows for secure signatures that validate in Adobe and are enforceable under European Union (eIDAS), US, and Canadian law.

  • Delegated signing — Rather than managing cryptographic keys and processes in the client environment, you can delegate these operations to DWS API, allowing for a more streamlined and secure experience.

  • Document privacy — Your document remains on the client-side throughout the process. Only the document hash and necessary signature metadata are shared with the backend for signing, ensuring end-to-end document privacy.

How to sign a document using DWS API

If you’d like to use Nutrient DWS API to sign documents via the Web SDK, follow the steps outlined below.

1. Subscribe to DWS API

Create an account or sign in to your existing account on the DWS API website to obtain your API key.

2. Authorize clients with a backend signing service

Prepare an authorization token that will allow your client to interact with DWS API for signing operations.

For example, this request will create a token that allows the client to perform a digital signatures operation from origin example.com that expires in 1 hour (3,600 seconds):

curl -X POST https://api.nutrient.io/tokens \
  -H 'Authorization: Bearer pdf_live_<rest_of_your_api_key>' \
  -H "Content-Type: application/json" \
  -d '{
    "allowedOperations": [
      "digital_signatures_api"
    ],
    "allowedOrigins": [
      "example.com"
    ],
    "expirationTime": 3600
  }'

You can retrieve the accessToken from the response:

{
  "accessToken": "<created_access_token>",
  "id": "<access_token_id>"
}

3. Pass the access token to the signing method

Pass the access token to the signDocument method of Web SDK running in standalone mode:

instance.signDocument(
  {
    signingData: {
      signatureType: PSPDFKit.SignatureType.CAdES,
      padesLevel: PSPDFKit.PAdESLevel.b_lt
    }
  },
  {
    jwt: "<access token>"
  }
);

4. Signing process

Once the signing method is called, the Web SDK takes care of the entire signing process:

  1. The document is prepared for signing, based on the parameters provided in the signDocument method.

  2. A hash of the document and signature properties — such as signing type, timestamping, and Long-Term Validation (LTV) settings — is generated and sent to the backend service.

  3. The DWS API performs the signing using the document hash and signature properties. If specified in the parameters, it also handles timestamping and LTV operations.

  4. Finally, the signed signature parameters are returned to the Web SDK, which embeds them into the prepared document, finalizing the signing process.

This process keeps your documents secure, maintains full privacy, and eliminates the need for clients to manage private keys, reducing the risk of handling cryptographic material in the client environment.