Document Trust API
3 minute read
DigiCert® Document Trust Manager API lets you automate identity validation, credential issuance, and document signing workflows for digital signature solutions.
What you can do
- Manage signing credentials: Create and manage signing credentials for users who need to sign documents digitally.
- Validate identities: Initiate and manage identity validation workflows required before issuing signing credentials.
- Integrate with signing applications: Use Cloud Signature Consortium (CSC) APIs for seamless integration with signature applications.
- Create compliant signatures: Generate Advanced Electronic Signatures (AES) that meet eIDAS and other regulatory requirements.
- Monitor operations: Query audit logs to track credentials, validations, and signing activities.
Tip
See Get started for complete details on making your first API call to DigiCert® ONE APIs.Authentication
| Method | Best for | How it works |
|---|---|---|
| API key (default) | CI/CD pipelines, backend services | Add the service user API token in the x-api-key request header. |
| Mutual TLS (mTLS) | High-assurance, network-restricted, or key-rotation-averse environments | Present a client TLS certificate and call the clientauth. hostname. |
Base URL and endpoints
DigiCert® provides both production and demo environments across four geographic regions. Each API call starts with a region-specific hostname (base URL), followed by a predictable versioned path.
| Environment | Purpose |
|---|---|
| Demo | Safe testing, proof-of-concepts |
| Production | Live operations |
| Segment | Description | examples |
|---|---|---|
{hostname} | DigiCert® ONE hostname | one.digicert.comdemo.one.digicert.comone.digicert.co.jp |
{product} | DigiCert® ONE product-specific path segment | /documentmanager (Document Trust Manager) |
api/v{n} | API version | /api/v1/api/v2/csc/v0 or /csc/v1 (CSC APIs) |
{resource} | Specific endpoint path | /credential/validation/credentials/list/signatures/signHash |
Validation and credential workflow
Document Trust Manager follows a structured workflow for issuing signing credentials that ensures proper identity validation.
| Step | Description |
|---|---|
| Approve validation | Once validation requirements are met (email confirmed, identity verified), approve the validation using the /api/v1/validation/{validationId}/approve endpoint. This allows credential issuance to proceed. |
| Create credential | After validation approval, create a signing credential for the user with the /api/v2/credential endpoint. The credential represents the user’s signing certificate and associated private key. |
| Use credential for signing | Users can now use their credentials to sign documents through CSC API operations like /csc/v1/signatures/signHash. |
This workflow ensures that only validated identities receive signing credentials.
Cloud Signature Consortium (CSC) APIs
Document Trust Manager implements CSC API specifications (v0.1.7.9 and v1.0.4.0) for standardized remote signing. CSC APIs enable signing applications to:
- List available credentials for a user.
- Authorize credential access with OTP or other authentication factors.
- Sign document hashes remotely.
- Timestamp signatures for non-repudiation.
Note
CSC operations require OAuth 2.0 or Digest authentication. Use the/csc/v1/info endpoint to retrieve service information, including supported authentication methods and endpoints for your region.Roles and permissions
Assigned roles determine a user’s permissions. Roles are manager-specific and provide a granular permission structure.
Use the /account/api/v1/role endpoint to see available roles for Document Trust Manager:
curl -X GET https://demo.one.digicert.com/account/api/v1/role?application_code=document_signing_manager \
-H "x-api-key: USER_API_TOKEN" \
-H "Content-Type: application/json" | jq '.'
Important considerations
- Authentication type is based on authorization method. Any CSC operation (
/csc/v{n}) requires OAuth 2.0 or Digest authentication. Standard API key authentication will not work for credential authorization or signing operations. - Credential states control access. Credentials can be ACTIVE, PENDING_ISSUANCE, DEACTIVATED, REVOKED, or SUSPENDED. Only ACTIVE credentials can be used for signing.
- Advanced and qualified signatures for compliance. Use the
/api/v1/hashesand/api/v1/signaturesendpoints to enhance signatures to meet eIDAS and other regulatory requirements for Advanced Electronic Signatures (AES).
Common operations
| Method | Endpoint | Description |
|---|---|---|
| POST | /documentmanager/api/v2/credential | Create a signing credential for a validated user |
| GET | /documentmanager/api/v1/credentials/list | List credentials for the authenticated user |
| POST | /documentmanager/csc/v1/info | Get CSC service information; returns supported operations and authentication methods |
| POST | /documentmanager/csc/v1/oauth2/token | Obtain OAuth 2.0 access token for CSC operations |
| POST | /documentmanager/csc/v1/credentials/authorize | Authorize credential access; requires OTP verification |
| POST | /documentmanager/csc/v1/signatures/signHash | Sign a document hash using authorized credential |
| POST | /documentmanager/api/v1/hashes | Enhance document hashes to AES-compliant format |
| GET | /documentmanager/api/v1/audit-log | View audit logs; track credential operations and signing activities |
API reference
OpenAPI reference documentation for Document Trust
Was this page helpful?
Provide feedback