POST /v1/certify
Apply a PKCS#7 detached digital signature to a PDF. This cryptographically proves the document has not been tampered with since certification and identifies the certifier.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
pdf | string | Yes | Base64-encoded PDF bytes |
certificatePem | string | Yes* | X.509 certificate in PEM format |
privateKeyPem | string | Yes* | RSA private key in PEM format (PKCS#8) |
certificateId | string | No | ID of a saved certificate (hosted API only). Use instead of inline PEM. |
reason | string | No | Certification reason (e.g., “Approved”, “Reviewed”) |
location | string | No | Certification location (e.g., “San Francisco, CA”) |
contact | string | No | Certifier contact information |
visible | boolean | No | Show a visible signature annotation on the page (default: false) |
x | number | No | X coordinate in points from the left edge (for visible signatures) |
y | number | No | Y coordinate in points from the bottom edge (for visible signatures) |
width | number | No | Width of the visible signature in points (default: 200) |
height | number | No | Height of the visible signature in points (default: 50) |
certificatePem + privateKeyPem or certificateId is required.
Using Inline Certificates
Pass the certificate and private key directly in the request body:Using Saved Certificates
On the hosted API, you can save certificates in Credentials and reference them by ID. This avoids sending private keys in every request.Saved certificates are not available on self-hosted instances. Pass
certificatePem and privateKeyPem directly.Response
200 OK with Content-Type: application/pdf — the certified PDF.
Related
- Digital Certification — certifying at render time, visible signatures, known limitations
- Credentials & Certificates — managing saved certificates