Document Trust Manager API

DigiCert® Document Trust Manager API lets you automate identity validation, credential issuance, and document signing workflows for digital signature solutions.

What you can do

Manage signing credentials: Create and manage signing credentials for users who need to sign documents digitally.
Validate identities: Initiate and manage identity validation workflows required before issuing signing credentials.
Integrate with signing applications: Use Cloud Signature Consortium (CSC) APIs for seamless integration with signature applications.
Create compliant signatures: Generate Advanced Electronic Signatures (AES) that meet eIDAS and other regulatory requirements.
Monitor operations: Query audit logs to track credentials, validations, and signing activities.

Tip

See Get started for complete details on making your first API call to DigiCert® ONE APIs.

Authentication

Table 1. Primary authentication methods

Method	Best for	How it works
API key (default)	CI/CD pipelines, backend services	Add the service user API token in the `x-api-key` request header.
Mutual TLS (mTLS)	High-assurance, network-restricted, or key-rotation-averse environments	Present a client TLS certificate and call the `clientauth.` hostname.

Base URL and endpoints

DigiCert® provides both production and demo environments across four geographic regions. Each API call starts with a region-specific hostname (base URL), followed by a predictable versioned path.

Environment	Purpose
Demo	Safe testing, proof-of-concepts
Production	Live operations

Table 3. Document Trust Manager API URL pattern breakdown

Segment	Description	Document Trust Manager examples
`{hostname}`	DigiCert® ONE hostname	`one.digicert.com` `demo.one.digicert.com` `one.digicert.co.jp`
`{product}`	DigiCert® ONE product-specific path segment	`/documentmanager` (Document Trust Manager)
`api/v{n}`	API version	`/api/v1` `/api/v2` `/csc/v0` or `/csc/v1` (CSC APIs)
`{resource}`	Specific endpoint path	`/credential` `/validation` `/credentials/list` `/signatures/signHash`

Validation and credential workflow

Document Trust Manager follows a structured workflow for issuing signing credentials that ensures proper identity validation.

Table 4. Validation and credential workflow steps

Step	Description
Approve validation	Once validation requirements are met (email confirmed, identity verified), approve the validation using the `/api/v1/validation/{validationId}/approve` endpoint. This allows credential issuance to proceed.
Create credential	After validation approval, create a signing credential for the user with the `/api/v2/credential` endpoint. The credential represents the user's signing certificate and associated private key.
Use credential for signing	Users can now use their credentials to sign documents through CSC API operations like `/csc/v1/signatures/signHash`.

This workflow ensures that only validated identities receive signing credentials.

Cloud Signature Consortium (CSC) APIs

Document Trust Manager implements CSC API specifications (v0.1.7.9 and v1.0.4.0) for standardized remote signing. CSC APIs enable signing applications to:

List available credentials for a user.
Authorize credential access with OTP or other authentication factors.
Sign document hashes remotely.
Timestamp signatures for non-repudiation.

Note

CSC operations require OAuth 2.0 or Digest authentication. Use the /csc/v1/info endpoint to retrieve service information, including supported authentication methods and endpoints for your region.

Roles and permissions

Assigned roles determine a user’s permissions. Roles are manager-specific and provide a granular permission structure.

Use the /account/api/v1/role endpoint to see available roles for Document Trust Manager:

curl -X GET https://demo.one.digicert.com/account/api/v1/role?application_code=document_signing_manager \
  -H "x-api-key: USER_API_TOKEN" \
  -H "Content-Type: application/json" | jq '.'

Important considerations

Authentication type is based on authorization method. Any CSC operation (/csc/v{n}) requires OAuth 2.0 or Digest authentication. Standard API key authentication will not work for credential authorization or signing operations.
Credential states control access. Credentials can be ACTIVE, PENDING_ISSUANCE, DEACTIVATED, REVOKED, or SUSPENDED. Only ACTIVE credentials can be used for signing.
Advanced and qualified signatures for compliance. Use the /api/v1/hashes and /api/v1/signatures endpoints to enhance signatures to meet eIDAS and other regulatory requirements for Advanced Electronic Signatures (AES).

Common operations

Table 5. Common Document Trust Manager API operations

Method	Endpoint	Description
POST	`/documentmanager/api/v2/credential`	Create a signing credential for a validated user
GET	`/documentmanager/api/v1/credentials/list`	List credentials for the authenticated user
POST	`/documentmanager/csc/v1/info`	Get CSC service information; returns supported operations and authentication methods
POST	`/documentmanager/csc/v1/oauth2/token`	Obtain OAuth 2.0 access token for CSC operations
POST	`/documentmanager/csc/v1/credentials/authorize`	Authorize credential access; requires OTP verification
POST	`/documentmanager/csc/v1/signatures/signHash`	Sign a document hash using authorized credential
POST	`/documentmanager/api/v1/hashes`	Enhance document hashes to AES-compliant format
GET	`/documentmanager/api/v1/audit-log`	View audit logs; track credential operations and signing activities

In this section: