Quickstart

Fire your first signing request in five minutes.

1. Create an API key

In the admin dashboard, create a named key for your source application. The key is shown once — copy it to a secure secret store immediately. Keys are SHA-256-hashed at rest and are revocable and rotatable at any time.

2. Post a signing request

Terminal window
curl -X POST https://your-nosign-host/v1/signing-requests \
  -H "Authorization: Bearer sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "document": "<base64 pdf>",
    "callback_url": "https://your-app.com/webhooks/nosign",
    "signers": [{ "name": "Ada Lovelace", "email": "ada@example.com",
      "fields": [{ "page": 1, "x": 72, "y": 640, "w": 180, "h": 48, "type": "signature", "required": true }] }]
  }'

Each field carries a typesignature, initials, date, checkbox, or text. NoSign validates field coordinates and types at ingestion. Out-of-bounds or missing required fields return 422 immediately — the request never enters the workflow.

Want to check a payload without creating anything? Fire the same request at the developer sandbox (/sandbox/v1/...) — a validate-only dry run with no DB writes, no jobs, and no email.

3. Deliver the signing_url

NoSign returns a signing_url for the first signer. Your platform delivers it (email, SMS, in-app link). For multiple signers, NoSign emails the next one automatically after each preceding signer completes.

4. Receive the webhook

After the last signer, NoSign delivers the sealed PDF (base64) plus the ordered audit bundle to your callback_url, HMAC-SHA256 signed. Verify the signature, store the payload durably, then return 2xx.

5. Delete the request

Once your backend has confirmed receipt, send a DELETE to trigger full hard deletion. A daily retention scheduler is the safety net, but explicit deletion is the expected path.

Examples are illustrative; verify field names against your NoSign instance’s API.

← Introduction The flow