Skip to main content
POST
/
sign
curl --request POST \
  --url https://api.uip.digital/v1/sign \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "intent": "Sign Terms of Service",
  "signature_information": "I agree to the Terms of Service version 2.1 dated January 11, 2025"
}
'
{
  "session_id": "sess_abc123def456",
  "qr_code": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA...",
  "expires_at": "2025-01-11T12:35:00Z"
}
Request a legally binding biometric signature from a user. Returns a QR code or deep link for the user to scan with their UIP app. Use this endpoint for quick signatures on lightweight agreements, terms of service, policies, and attestations.

Request

Headers

HeaderRequiredDescription
AuthorizationYesBearer token with your API key: Bearer YOUR_API_KEY
Content-TypeYesMust be application/json

Body Parameters

intent
string
required
Description of why you’re requesting a signature. This is shown to the user in the UIP app.Example: "Sign Terms of Service" or "Acknowledge Privacy Policy"
signature_information
string
required
The content or description of what the user is signing. This is the actual agreement text or reference.Example: "I agree to the Terms of Service version 2.1" or "I acknowledge receipt of the employee handbook"

Response

Success Response (200 OK)

session_id
string
required
Unique identifier for this signature session
expires_at
string
required
ISO 8601 timestamp when the session expires (5 minutes from creation)
qr_code
string
required
Base64-encoded PNG image of the QR code for users to scan

Example Request

{
  "intent": "Sign Terms of Service",
  "signature_information": "I agree to the Terms of Service version 2.1 dated January 11, 2025"
}

Example Response

{
  "session_id": "sess_1a2b3c4d5e6f",
  "expires_at": "2025-01-11T12:35:00Z",
  "qr_code": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA..."
}

Webhook Callback

When the user completes the signature, UIP sends a POST request to your webhook URL with the result.
Important: Webhooks are only sent when the user completes the signature. If the user declines or the session expires without completion, no webhook is sent. Your application should handle timeouts on your end (sessions expire after 5 minutes).

Successful Signature

{
  "event": "sign",
  "data": {
    "uip_id": "user_abc123def456",
    "session_id": "sess_1a2b3c4d5e6f",
    "audit_id": "audit_9z8y7x6w5v4u"
  }
}
Response fields:
  • event - Always "sign" for successful signatures
  • data.uip_id - The user’s unique UIP identifier
  • data.session_id - The session ID from your original request
  • data.audit_id - Permanent audit trail reference ID (save this for compliance)
Save the audit_id: This is your permanent proof of signature. Store it in your database for compliance and verification purposes.

Implementation Flow

1

Request Signature

Call the Sign endpoint with your intent and signature information
2

Display QR Code

Show the returned QR code to the user, or provide the deep link if they’re on mobile
3

User Signs

User scans the QR code with the UIP app and signs with biometric verification
4

Receive Webhook

Your webhook receives the signature result with verified identity and audit trail
5

Complete Action

Use the verified signature to complete the user’s action and store the audit_id

Best Practices

Clear Intent

Always provide a clear, user-friendly intent message explaining what they’re signing

Specific Information

Include version numbers and dates in signature_information for legal clarity

Handle Expiration

Sessions expire after 5 minutes. Implement retry logic or allow users to generate a new code

Save Audit IDs

Always save the audit_id from webhook responses for permanent proof and compliance

Common Use Cases

Request users to sign your TOS with biometric verification
{
  "intent": "Sign Terms of Service",
  "signature_information": "I agree to the Terms of Service version 2.1 dated January 11, 2025"
}
Get user consent for privacy policies with cryptographic proof
{
  "intent": "Acknowledge Privacy Policy",
  "signature_information": "I acknowledge and agree to the Privacy Policy updated January 2025"
}
Require employees to acknowledge receipt and understanding
{
  "intent": "Acknowledge Employee Handbook",
  "signature_information": "I confirm receipt of the 2025 Employee Handbook and agree to comply with all policies"
}
Get attestations for codes of conduct or ethical guidelines
{
  "intent": "Sign Code of Conduct",
  "signature_information": "I agree to follow the Company Code of Conduct effective January 2025"
}

Errors

See the Error Handling Guide for comprehensive error handling strategies. Possible error codes for this endpoint:
  • auth/missing-api-key - No API key provided in Authorization header
  • auth/invalid-api-key - Invalid API key
  • auth/revoked-api-key - API key has been revoked
  • auth/business-archived - Business account has been archived
  • auth/verification-required - UIP account must be verified before using this endpoint
  • request/invalid-payload - Request payload is invalid or missing required fields
  • request/not-found - No such registered route in API service
  • request/webhook-missing - Webhook URL not configured in Business Dashboard
  • payment/insufficient-funds - Insufficient account balance to complete request
  • resource/not-found - Business or UIP not found
  • internal/server-error - Failed to create session record
  • data/corrupt - Corrupt key data detected

Authorizations

Authorization
string
header
required

Use your UIP API key as a bearer token

Body

application/json
intent
string
required

Description of why you're requesting a signature. Shown to the user in the UIP app.

signature_information
string
required

The content or description of what the user is signing. This is the actual agreement text or reference.

Response

200 - application/json

Signature request created

session_id
string

Unique identifier for this signature session

qr_code
string

Base64-encoded PNG image of the QR code for users to scan

expires_at
string<date-time>

ISO 8601 timestamp when the session expires (5 minutes from creation)