Signing methods
Our Sign API v2 supports two main forms of electronic signatures:
- Authentication-based signing (where the signature is backed by a verified authentication event) and
- PKI signing (where the signature is cryptographically generated natively by the electronic identity scheme).
Authentication-based signing
Authentication-based signing supports the use of any type of authentication method provided by Signicat, where the authentication result is used for signing. This ensures a unified output format in accordance with EU specifications, as well as a scalable, responsive signing interface supporting all modern device standards and window sizes.
Authentication-based signing enables you to sign one or more documents by first consenting to the contents of the document(s) and subsequently authenticating yourself using one of a number of eID providers.
As the product relies on authentication, the eID providers do not need to support signing themselves. Our Sign API v2 gathers proof of the signer's actions, i.e. viewing the document(s), consenting to the contents and the authentication itself. The series of proofs is combined with each of the original documents.
The result is a signed XML document (XAdES), which is digitally signed by Signicat. Each original document results in one XAdES document for each signer. The signed documents can also be merged into a final PAdES (PDF Advanced Electronic Signatures) document.
Supported authentication-based signing methods
PKI signing
Public Key Infrastructure (PKI) signing allows you to sign documents using the natively available signing capabilities of specific eID providers.
In a PKI signing flow, the signature is cryptographically bound to the document using private keys managed by the eID provider or stored securely on the user's device (such as a hardware security module or smartcard). This produces a highly secure, non-repudiable signature compliant with local regulatory standards. The resulting signature can then be verified directly against the provider's trust infrastructure or packaged into standard PAdES containers.