Get started with electronic signing
- Kristoffer Kristoffer (Unlicensed)
Introduction
This page is intended to be a quick-start guide for developers who seek to implement a solution for electronic signing. The page will outline a quick-start guide for using our APIs in this context.
We emphasize that even though this guide contains most of the information needed to set up electronic signing with BankID, you'll need a commercial agreement with one of our partners in order to go live. We encourage to do this as early as possible. For more information on this, check out our getting started guide.
A general note on electronic signing from BankID
Our electronic signing products are, in some sense, an extension of the authentication product.
- For PAdES and SEID-SDO, the merchant must request an Access token with client credential grant to create and upload the sign order before the user interacts with BankID. After the user has signed, the result is then downloaded from our resource servers.
- For simple-text signing, the implementation is very similar to that of authentication, with some extra query parameters in the authorize request
Moreover, the implementation guides for PAdES and SEID-SDO are very similar, with the exception of the signdocpades and signdoc APIs, respectively. Note that the products are different. For more on this, check out the Compare e-sign products.
Expiration times
Sign order expiration time
The sign order will expire in 90 seconds after it is created if user signing is not initiated (i.e. request to authorization endpoint).
The timeout for the sign order when user is signing is determined by the timeoutSeconds (default 1800 seconds) specified when the order was uploaded.
After the user has signed the order, the sign order will be valid for another 90 seconds before it expires.
API quick-start guide
Using our APIs for PAdES signing
| Step | What you do | Endpoint | Method | Considerations | Remarks |
|---|---|---|---|---|---|
| 1 | Get the key properties of the OIDC provider | openid-configuration | GET | ||
| 2 | Request an Access token | token | POST | Grant type client_credentials. Must include the signdoc/read_write scope. | The access token is retreived with client credentials grant, i.e. without the involvement of the end user |
| 3 | Create and upload sign order to the SignDoc resource server | signdocpades | POST | Include Access token (2) as Bearer token | You'll receive a reference sign_id |
| 4 | Initiate the signing transaction by redirecting the user to the authorization endpoint | authorize | GET | Include the In the callback, make sure to check for error and matching states | Traditional authorization code flow starts. End user performs the signing process with netcentric BankID. Results are stored in the resource server. |
| 5 | Exchange authorization code for tokens | Token | POST | Check matching nonce | |
| 6 | Fetch our public keys and use these to validate token signatures | jwk | GET | ||
| (opt) | Check the status of sign order | signdocpades | GET | Include Access token (2) as Bearer token. Include sign_id as query parameter. | For more details, see Check Status for sign order in signdocpades |
| 7 | Download sign order results and delete sign order | signdocpades | DELETE | Include Access token (2) as Bearer token. Include sign_id as query parameter. | For more details, see
in signdocpades |
Using our APIs for SEID-SDO signing
| Step | What you do | Endpoint | Method | Considerations | Remarks |
|---|---|---|---|---|---|
| 1 | Get the key properties of the OIDC provider | Openid-configuration | GET | ||
| 2 | Request an Access token | Token | POST | Grant type client_credentials. Must include the signdoc/read_write scope. | The access token is retrieved with client credentials grant, i.e. without the involvement of the end user |
| 3 | Create and upload sign order to the SignDoc resource server | signdoc | POST | Include Access token (2) as Bearer token | You'll receive a reference sign_id |
| 4 | Initiate the signing transaction by redirecting the user to the authorization endpoint | Authorize | GET | Include the In the callback, make sure to check for error and matching states | Traditional authorization code flow starts. End user performs the signing process with netcentric BankID. Results are stored in the resource server. |
| 5 | Exchange authorization code for tokens | Token | POST | Check matching nonce | The Access token is to be used to check status (7) and download the result (step 8) from resource server |
| 6 | Fetch our public keys and use these to validate token signatures | Jwk | GET | ||
| (opt) | Check the status of sign order | signdoc | GET | Include Access token (2) as Bearer token. Include sign_id as query parameter. | For more details, see Check Status for sign order in signdoc |
| 7 | Download sign order results and delete sign order | signdoc | DELETE | Include Access token (2) as Bearer token. Include sign_id as query parameter. | For more details, see
in signdoc |
Using our APIs for Simple-text signing
Simple-text signing allows the end user to sign a predefined text. The result contains the basic signatures of the merchant and end user, as well as the hash over the received text.
| Step | What you do | Endpoint | Method | Considerations | Remarks |
|---|---|---|---|---|---|
| 1 | Get the key properties of the OIDC provider | Openid-configuration | GET | ||
| 2 | Build the authorization URL, and redirect the user to the authorization endpoint | Authorize | GET | Include sign scope and In the callback, make sure to check for error and matching states |
This is where the end user interacts with BankID. |
| 3 | Exchange authorization code for tokens | Token | POST | Check matching nonce | The result is contained in the sign_result claim in the ID token (see example below table). Also:
|
| 4 | Fetch our public keys and use these to validate token signatures | Jwk | GET | Example "sign_result" : { |