Document Trust Manager API
DigiCert® Document Trust Manager API lets you automate identity validation, credential issuance, and document signing workflows for digital signature solutions.
What you can do
Manage signing credentials: Create and manage signing credentials for users who need to sign documents digitally.
Validate identities: Initiate and manage identity validation workflows required before issuing signing credentials.
Integrate with signing applications: Use Cloud Signature Consortium (CSC) APIs for seamless integration with signature applications.
Create compliant signatures: Generate Advanced Electronic Signatures (AES) that meet eIDAS and other regulatory requirements.
Monitor operations: Query audit logs to track credential operations, validations, and signing activities.
Tip
See Get started for complete details on making your first API called to DigiCert® ONE APIs.
Authentication
Base URL and endpoints
DigiCert® provides both production and demo environments across four geographic regions. Each API call starts with a region-specific hostname (base URL), followed by a predictable versioned path.
Segment | Description | Document Trust Manager examples |
|---|---|---|
| DigiCert® ONE hostname |
|
| DigiCert® ONE product-specific path segment |
|
| API version |
|
| Specific endpoint path |
|
Validation and credential workflow
Document Trust Manager follows a structured workflow for issuing signing credentials that ensures proper identity validation.
Step | Description |
|---|---|
Create validation | Before a user can receive signing credentials, their identity must be validated. Use the /api/v1/validation endpoint to initiate a validation request. This typically involves email verification and identity proofing steps. |
Approve validation | Once validation requirements are met (email confirmed, identity verified), approve the validation using the /api/v1/validation/{validationId}/approve endpoint. This allows credential issuance to proceed. |
Create credential | After validation approval, create a signing credential for the user with the /api/v1/credential or /api/v2/credential endpoint. The credential represents the user's signing certificate and associated private key. |
Use credential for signing | Users can now use their credentials to sign documents through CSC API operations like /csc/v1/signatures/signHash. |
This workflow ensures that only validated identities receive signing credentials.
Cloud Signature Consortium (CSC) APIs
Document Trust Manager implements CSC API specifications (v0.1.7.9 and v1.0.4.0) for standardized remote signing. CSC APIs enable signing applications to:
List available credentials for a user.
Authorize credential access with OTP or other authentication factors.
Sign document hashes remotely.
Timestamp signatures for non-repudiation.
Note
CSC operations require OAuth 2.0 or Digest authentication. Use the /csc/v1/info endpoint to retrieve service information, including supported authentication methods and endpoints for your region.
Roles and permissions
Assigned roles determine a user’s permissions. Roles are manager-specific and provide a granular permission structure.
Use the /account/api/v1/role endpoint to see available roles for Document Trust Manager:
curl -X GET https://demo.one.digicert.com/account/api/v1/role?application_code=document_signing_manager \ -H "x-api-key: USER_API_TOKEN" \ -H "Content-Type: application/json" | jq '.'
Important considerations
Validations must be approved before credential issuance. Always complete the validation workflow before attempting to create credentials. Attempting to create a credential without approved validation will fail.
CSC operations require specific authentication. OAuth 2.0 or Digest authentication is mandatory for CSC API endpoints. Standard API key authentication will not work for credential authorization or signing operations.
Credential states control access. Credentials can be ACTIVE, PENDING_ISSUANCE, DEACTIVATED, REVOKED, or SUSPENDED. Only ACTIVE credentials can be used for signing.
OTP verification for signing. Most signing operations require OTP (One-Time Password) verification. Use the
/credentials/sendOTPendpoint to send OTP to users before authorizing credential access.Advanced Electronic Signatures for compliance. Use the
/api/v1/hashesand/api/v1/signaturesendpoints to enhance signatures to meet eIDAS and other regulatory requirements for Advanced Electronic Signatures (AES).
Common operations
Method | Endpoint | Description |
|---|---|---|
POST |
| Create a validation request; initiates identity proofing workflow |
GET |
| List all validations; use query parameters to filter by status |
PUT |
| Approve a validation; enables credential issuance |
POST |
| Create a signing credential for a validated user |
GET |
| List credentials for the authenticated user |
POST |
| Get CSC service information; returns supported operations and authentication methods |
POST |
| Obtain OAuth 2.0 access token for CSC operations |
POST |
| Authorize credential access; requires OTP verification |
POST |
| Sign a document hash using authorized credential |
POST |
| Enhance document hashes to AES-compliant format |
GET |
| View audit logs; track credential operations and signing activities |