Send documents for signing, verify authenticity, and archive to AdaptVault — all with a simple REST API.
Get your API keyAll API requests require a Bearer token in the Authorization header. Create an API key from your dashboard settings.
curl -H "Authorization: Bearer adoc_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ https://doc.adaptensor.com/api/v1/documents
Key format: adoc_live_ + 32 random hex characters
Scoped permissions: Each key is limited to specific scopes (e.g., documents:read, documents:send). A request fails with 403 if the key lacks the required scope.
Storage: Keys are SHA-256 hashed. The plaintext is shown once at creation — store it securely.
API requests are rate-limited per key using a sliding window.
Every response includes rate limit headers:
X-RateLimit-Limit: 100 X-RateLimit-Remaining: 87 X-RateLimit-Reset: 1741564800
Register webhooks from the webhooks settings page for dashboard-managed endpoints, or programmatically subscribe via POST /api/v1/hooks for Zapier-style integrations.
document.sentDocument sent to signersdocument.signedA signer completed their signaturedocument.completedAll signers have signeddocument.declinedA signer declineddocument.voidedDocument voided by senderdocument.expiredDocument expired before signingparty.completedA signing party (multi-signer group) completedpacket.sentMulti-document packet sentpacket.completedAll packet documents signedpacket.declinedA packet signer declinedbulk_send.completedBulk-send batch finishedPayloads are signed with HMAC-SHA256. The header value is prefixed with sha256=. Webhooks created via POST /api/v1/hooks also include an X-AdaptDoc-Timestamp header and sign `${timestamp}.${body}` to prevent replay attacks; dashboard-managed webhooks sign the body alone. Detect the scheme by the presence of the timestamp header:
javascript
const crypto = require("crypto");
const headerSig = request.headers["x-adaptdoc-signature"]; // "sha256=<hex>"
const timestamp = request.headers["x-adaptdoc-timestamp"]; // ISO string, may be undefined
const rawBody = request.rawBody; // request body as a string
// Subscription webhooks include the timestamp in the signed payload to make
// replay attacks visible. Dashboard webhooks sign the body alone.
const signedPayload = timestamp ? `${timestamp}.${rawBody}` : rawBody;
const expected = "sha256=" + crypto
.createHmac("sha256", WEBHOOK_SECRET)
.update(signedPayload)
.digest("hex");
// Timing-safe compare prevents timing side-channel attacks.
const valid = headerSig.length === expected.length &&
crypto.timingSafeEqual(Buffer.from(headerSig), Buffer.from(expected));
if (!valid) {
throw new Error("Invalid webhook signature");
}When the ADAPTVAULT_ECOSYSTEM_KEY is configured, every signed document and its signing certificate are automatically pushed to AdaptVault for permanent archival. This happens in the background after signing completes — no additional API calls are needed.
All errors follow a consistent envelope format:
json
{
"error": "Document not found",
"status": 404
}| Code | Meaning |
|---|---|
400 | Bad request — missing or invalid parameters |
401 | Unauthorized — invalid, revoked, or expired API key |
403 | Forbidden — key lacks the required scope |
404 | Not found — document or resource doesn't exist |
429 | Rate limited — too many requests, check X-RateLimit-Reset |
500 | Server error — contact support if persistent |
AdaptDoc API v1 — Part of the Adaptensor ecosystem
Questions? support@doc.adaptensor.com