Embedding e-signatures into your product is not hard -- until you need to make it reliable. The tricky parts are almost always the same: event consistency, replay safety, document integrity, and what you store for audits.
The integration architecture (high level)
Most successful integrations follow a simple pattern:
- Your app creates a signature request (document + signers + fields).
- The signer completes signing in a hosted or embedded experience.
- The platform emits events (webhooks) as status changes.
- Your app updates internal state and stores the final signed record + evidence.
The key architectural decision is whether to use hosted signing (redirect the user to the e-signature platform's page) or embedded signing (render the signing experience inside your app). Hosted signing is simpler to implement, easier to maintain, and automatically stays current with UI updates. Embedded signing gives you more control over the user experience but requires more integration work.
When to choose hosted vs. embedded
| Factor | Hosted | Embedded |
|---|---|---|
| Implementation time | Hours | Days to weeks |
| UX control | Limited | Full |
| Maintenance burden | Low | Medium to high |
| Mobile experience | Platform handles | You handle |
| Best for | Internal tools, MVPs | Customer-facing products |
Design for idempotency (or you will double-process everything)
Webhooks can be delivered more than once. Networks fail. Retries happen. Your server might crash after processing a webhook but before returning a 200. The platform retries, and your handler runs again. If your handler sends an email on completion, you have just sent two emails. If it triggers a payment, you have charged twice.
Practical rules
- Use an event ID for deduplication. Store processed event IDs in your database. Before processing, check if you have already handled that event ID. If yes, return 200 and skip. A simple
processed_eventstable with a unique constraint on the event ID works well. - Update state using monotonic transitions. Define a strict order: CREATED, SENT, VIEWED, SIGNED, COMPLETED. Only allow forward transitions. If a webhook says VIEWED but your record is already COMPLETED, ignore it -- the state can only advance.
- Make side effects idempotent. If signing completion triggers an email, a Slack notification, or a payment, guard each side effect independently. Use a status flag per action:
email_sent,payment_triggered. Check flags before executing. - Return 200 before processing. Acknowledge the webhook immediately, then process asynchronously via a job queue. This prevents timeouts from causing retries and decouples webhook delivery from your business logic execution time.
- Make your PDF download job retryable. The signed PDF download can fail due to network issues or temporary unavailability. Store the download URL, implement retry with backoff, and verify the downloaded file hash matches the expected value.
Webhook security: validate authenticity
Treat webhook endpoints like public APIs -- because they are. Anyone who discovers your endpoint URL can POST fake events to it. Without verification, an attacker could trick your system into marking documents as signed, triggering payments, or leaking data.
HMAC signature verification
Most e-signature platforms include an HMAC signature header with each webhook delivery. Your server should compute the expected signature using the shared secret and the raw request body, then compare it in constant time. Reject any request where the signature does not match. Never parse the JSON payload before verifying the signature -- use the raw bytes for HMAC computation.
Timestamp validation
Even with valid signatures, an attacker could capture a legitimate webhook and replay it later. Include a timestamp check: reject any webhook where the timestamp header is more than 5 minutes old. This window is long enough to handle normal network delays but short enough to block most replay attacks.
Security checklist for webhook endpoints
- Verify HMAC signature on every request (constant-time comparison)
- Reject timestamps older than 5 minutes
- Use HTTPS-only endpoints (reject plain HTTP)
- Restrict source IPs where the platform publishes them
- Log correlation IDs from the platform for incident response
- Store minimal PII -- collect only what your audit trail requires
- Rotate shared secrets periodically and support dual-secret validation during rotation
Error handling patterns
Not all errors are created equal. Your integration should categorise failures and respond differently to each type:
Transient errors
Network timeouts, 502/503 responses, rate limits. Retry with exponential backoff (1s, 2s, 4s, 8s). Cap at 5 retries. Alert if retries exhausted.
Client errors
400/422 responses from invalid payloads, missing fields, bad file formats. Do not retry -- fix the request. Log the full request and response for debugging.
State conflicts
409 responses when a document is already voided or a signer already completed. Refresh the document status from the API before deciding what to do next.
Rate limiting and throughput
If your application creates signature requests in bulk -- onboarding batches, renewal campaigns, compliance re-signing -- you need to respect rate limits. Most platforms enforce per-minute or per-hour caps. Exceeding them results in 429 responses and temporary blocks.
Best practices: use a job queue (Redis-backed, SQS, or BullMQ) to throttle outbound API calls. Set your worker concurrency to stay within 80% of the documented rate limit. Implement client-side retry with backoff for 429 responses. For high-volume scenarios (1,000+ documents per day), request a higher rate limit from your provider or use batch endpoints.
UX: reduce signer friction (without reducing evidence)
The best embedded signature experience is the one a signer does not think about. Every extra click, every confusing label, every unnecessary page reload increases abandonment. Here are the proven friction-reduction patterns:
- Auto-navigate to the next required field. After a signer completes one field, scroll or jump to the next. Do not make them hunt through a multi-page document.
- Make the CTA explicit. Use "Sign and finish" or "Apply signature", not generic "Submit". The signer should know exactly what clicking the button does.
- Use sequential signing for counterparty deals. Send to Party A first, then Party B. This avoids confusion about who signs where and eliminates "I thought you signed already" emails.
- Design mobile-first. Over 40% of signers complete on mobile devices. Test your embedded experience on small screens. Pinch-to-zoom on a PDF is not an acceptable UX.
- Show a progress indicator. For multi-page or multi-field documents, show "Field 3 of 7" or a progress bar. Signers abandon less when they know how much is left.
- Minimise authentication friction. If your signer is already logged into your app, do not force them to re-authenticate. Pass identity context through your integration so the platform trusts the session.
What to store for audits and support tickets
If you only store completed = true, you will regret it the first time a signer disputes a signature, a regulator asks for evidence, or a support ticket requires you to reconstruct what happened. Store enough to answer: who signed, when, from where, on what device, and what exactly they signed.
Audit-ready storage pack
- Final signed PDF -- sealed/tamper-evident with embedded digital certificate
- Audit trail / certificate of completion -- timestamped log of every event (sent, viewed, signed)
- Signer identity references -- email, IP address, authentication method used
- Document version hash -- SHA-256 of the document at time of signing to prove it was not altered
- Webhook payloads -- raw JSON from the platform, stored immutably for dispute resolution
- Consent records -- evidence that the signer agreed to use electronic signatures (required in some jurisdictions)
Testing your integration
Before going live, test these scenarios. Each one represents a real-world failure mode that will eventually occur in production:
| Scenario | What to test | Expected outcome |
|---|---|---|
| Duplicate webhook | Send the same event ID twice | Second is ignored, no side effects |
| Out-of-order events | Send COMPLETED before VIEWED | State advances correctly |
| Invalid HMAC | Send webhook with bad signature | Rejected with 401 |
| Expired timestamp | Send webhook with old timestamp | Rejected with 403 |
| PDF download failure | Simulate 503 on PDF fetch | Retry succeeds, document stored |
| Signer declines | Signer refuses to sign | Status set to declined, notifications sent |
How eSignHub fits
eSignHub is built around the principles in this guide: predictable state transitions, tamper-evident audit trails, and secure document storage. Whether you need simple signature capture or complex multi-party workflows, the platform provides hosted signing flows, encrypted deal rooms, and comprehensive audit trails out of the box.
Start with the hosted signing flow to validate your workflow, then leverage deal rooms and the Founder Ops Suite to streamline your document pipeline.
Building a document workflow?
Start with eSignHub's hosted signing flow, encrypted deal rooms, and Founder Ops Suite to streamline your document operations.
Sign Up Now