SignatureAPI

Electronic signatures seem like a solved problem until you try to integrate one. DocuSign charges enterprise prices. HelloSign has API limitations. Most solutions assume you want their full UI flow, not raw signature data.

SignatureAPI started as an internal tool for high-volume document signing. We needed something that could handle thousands of envelopes per day without breaking the bank. When we couldn’t find it, we built it.

The Problem We Solved

The digital signature market has a gap. Enterprise tools charge $5-10 per envelope. That works for occasional contracts, but falls apart when you’re sending thousands of documents monthly. Real estate agencies, HR departments, legal firms - they all face this scaling problem.

We priced SignatureAPI at $0.10 per envelope. At volume, costs drop further. This opened the market to use cases that were previously too expensive.

Architecture Overview

SignatureAPI follows a microservices architecture with clear domain separation. The platform consists of five main components:

Core API - Orchestrates all operations, manages envelopes and recipients, handles authentication
Signing Ceremony - The user-facing signing experience with responsive UI components
Crypto Service - Isolated cryptographic operations with HSM integration
Rendering Service - PDF processing, field placement, and document generation
Integrations Layer - Connectors for Microsoft Power Automate, Zapier, and other platforms

This separation lets us scale services independently. The crypto service handles cryptographic operations, the rendering service processes PDFs, and the API orchestrates everything.

The Core API

The main API runs on NestJS with TypeORM connecting to PostgreSQL. The domain model is organized around envelopes, documents, recipients, and places.

When a client creates an envelope through the API, the system validates the request, persists the envelope data, and queues the documents for background processing. This queue-based architecture keeps API response times fast while heavy operations like document rendering and email delivery happen asynchronously.

Bull queues with Redis handle all async operations. Document processing, email sending, and webhook delivery all run through the queue system.

Cryptographic Signing

The crypto service is a dedicated C# application that handles digital signatures. It integrates with Hardware Security Modules (HSM) for enterprise customers who need signatures that meet legal requirements in various jurisdictions.

The signing flow receives a document hash and credentials, communicates with the HSM to perform the cryptographic operation, and returns the signature. This isolation is critical for security - cryptographic material never touches the main API. Private keys remain within the HSM boundary, and the crypto service only handles signing operations.

PDF Rendering

The rendering-service is another C# application deployed to AWS Lambda. It handles PDF rendering, placing signature fields, and generating the final signed document.

PDF rendering turned out to be harder than expected. Fonts were a particular pain. Documents with embedded fonts sometimes rendered incorrectly. We spent weeks building a robust rendering pipeline that handles edge cases.

The service uses a proprietary PDF library (Xfinium) for precise control over field placement and visual rendering.

The Signing Ceremony

When someone receives a document to sign, they interact with the ceremony application. It’s a Next.js app that renders the document, captures signatures, and submits the signed data back to the API.

Key features:

perfect-freehand for smooth signature drawing
html-to-image for capturing signature graphics
next-intl for internationalization (multiple languages)

The ceremony adapts to any device. Mobile screens require different UI patterns than desktop. We built a responsive experience that works on phones, tablets, and computers.

AWS Infrastructure

The platform runs on AWS with several integrated services:

S3 for document storage
KMS for encryption key management
SES for transactional emails
Lambda for serverless PDF processing
CloudFront for signed URL distribution

For enterprise customers, we support BYOS (Bring Your Own Storage). They connect their own S3 or R2 bucket, and documents never leave their infrastructure.

No-Code Integrations

A significant portion of adoption came from no-code tools. We built connectors for:

Microsoft Power Automate - The most popular integration. Users create workflows that send documents for signature when a SharePoint file appears, notify a Teams channel when signing completes, and store the final document in OneDrive.

Zapier - Similar automation capabilities connecting to thousands of other apps.

These integrations brought in dozens of new users weekly who don’t write code but need signature automation.

Webhooks and Events

The platform uses Svix for webhook delivery. Every significant event - envelope creation, recipient actions, document completion - triggers a webhook notification to subscribed endpoints.

Svix handles retries, delivery logging, and provides a webhook management UI for customers. This was much faster than building our own webhook infrastructure and gives customers visibility into delivery status and history.

Authentication and Multi-Tenancy

Clerk handles user authentication, SSO, and organization management. The @clerk/backend SDK validates tokens on every API request.

Each organization has:

Isolated data (envelopes, documents, recipients)
Separate API keys
Individual billing and quotas
Member role management

Compliance

Enterprise customers need compliance certifications. We achieved:

HIPAA compliance for healthcare use cases
SOC2 certification (in progress during observation period)

The webrisk module in the API checks URLs and attachments for malicious content. This is important for preventing phishing attempts through signature requests.

What I Learned

Building SignatureAPI taught me how different enterprise software is from consumer products. Compliance, security audits, and legal requirements drive architecture decisions as much as technical considerations.

The polyglot approach (TypeScript + C#) was worth the complexity. C# has better libraries for cryptography and PDF manipulation. TypeScript is better for API development and web frontends. Using each where it shines produces a better product.

The monorepo with independent services scales well. Teams can work on different parts without stepping on each other. Deployment is more complex, but the operational benefits outweigh the overhead.

Electronic Signature API — SignatureAPI

Integrate legally binding e-signatures into your apps and workflows with our award-winning, developer-friendly API and integrations — starting at just $0.25 per document.