Signify can handle up to Restricted and Sensitive Normal data.

Features

Signify currently offers the following features:

• End-to-end workflow to send out invitations and collect Sign with Singpass signatures

• Admin dashboard to track signatures

• Mobile support

• Multi-party collaborative signing on the same document

• Fixed signing locations

You can use Signify for any use cases that require Secure Electronic Signatures (SES).

Under the Electronics Transaction Act, the following are excluded:

1. The creation or execution of a will

2. The creation, performance or enforcement of an indenture, declaration of trust or power of attorney, with the exception of implied, constructive and resulting trusts and a lasting power of attorney defined under section 2(1) of the Mental Capacity Act 2008

3. Any contract for the sale or other disposition of immovable property, or any interest in such property

4. The conveyance of immovable property or the transfer of any interest in immovable property

Signify is a document hub that provides collaborative SES (secured electronic signing) capability in accordance with Electronic Transactions Act.

Released

1. FormSG collected data

2. uploaded CSV of data rows

Before that, the Singpass root signing certificates must be installed on your device. If you do not have the Singpass root signing certificates on your device, please follow the steps below.

1. There are 2 Singpass root signing certificates that you should download.

   1. In your folder that you have chosen, you should find the file SNRCA-G1.cer.

2. In your folder that you have chosen, you should find the files

   1. SNRCA-G1.cer.

   1. RCA-B1.crt

1. Click "Acrobat Reader" on the top left.

1. Navigate to "Preferences"

1. Under Categories, find and click "Signatures".

1. Click "more" under Identities and Trusted Certificates.

1. Click on "Trusted Certificates"

1. Click Import

1. Under contacts, click "Browse" and choose the certificates you have downloaded in earlier step.

1. Under certificates, click on Singapore National Root CA - G1 and then click Trust

1. Check "Use this certificate as a trusted root" with a tick and press OK

1. Click on Import

You should now be able to see Singapore National Root CA - G1 under your Trusted Certificates.

Repeat the same steps for the 2nd root certificate. At the end of the steps, you should be able to see Singapore National Root CA - B1 under your Trusted Certificates

1. Enable certification revocation checking This can be found under preferences > signatures > verification

All done!

Sign with Singpass signatures can be verified using the Adobe Acrobat Reader application. This should already be installed on your government devices. However, if you are verifying on a non-government device, please:

Verifying signatures

Please follow the steps below to verify a Sign with Singpass signature.

1. Open up signed document on Adobe Acrobat Reader

2. Check if green tick with "Signed and all signatures are valid"

1. Go to signature panel

In signature panel, each signature should show:

• Document has not been modified

• Signer's identity is valid

• The signature includes an embedded timestamp

• Signature is long term validation (LTV) enabled

Document owner should "click to view this version" to visually inspect that the contents of the document version is signed correctly.

1. Click on each signature and inspect certificate

Go into signature properties

Show signer's certificate

Certificate should include the following:

• Singapore National Root CA - G1

• Singapore NDI Intermediate CA 1 - G2

• Signer's full name (as per NRIC)

Click the full name and then "details"

Check under subject that signer's name and last 4 characters of NRIC is correct.

Are the signatures authentic?

How to verify signatures?

"Certificate validity is unknown"?

Can the signed document be edited?

After a document has been signed, if there are any edits made, there will be a warning that the signed document has been edited after it was signed, when you open the file in Adobe PDF reader.

You will also be able to see the exact copy of the document that was signed, before the changes were made.

Will the signature expire?

Signatures do not expire. Documents are signed by Signify using the PDF Advanced Electronic Signatures Long-Term Validation (PAdES-LTV) standard.

If a signer migrates, will the signature still be valid?

Yes. The document can be traced back to the signer.

What is the difference between Signify and FormSG + Singpass?

Signing in through Singpass on FormSG only provides Ordinary Electronic Signatures (OES) and not Secure Electronic Signatures (SES).

Difference between Secure Electronic Signatures and Ordinary Electronic Signatures?

Ordinary Electronic Signatures (OES) is a broad category that refers to electronic signatures that are not SES.

The key difference between a secure electronic signature and an ordinary electronic signature is that while both are accorded legal effect under the ETA, only secure electronic signatures are accorded the following presumptions:

• It is the signature of the person to whom it correlates;

• It is affixed by that person with the intention of signing or approving the electronic record; and

• It is authentic and has integrity.

Login with Singpass in Signify provides proof of identity, since the login is verified against his Singpass account.

These presumptions are important in disputes over the validity of electronic signatures, as they will automatically apply for secure electronic signatures. The disputing party will then have to adduce evidence to the contrary if it is claiming that the electronic signature is not valid.

If I print the document out, does the document still hold legal effect?

A digital signature consists of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can accurately determine whether the:

1. transformation was created using the private key that corresponds to the signer’s public key and

2. if the initial electronic record has been altered since the transformation was made.

The digital signature is not the picture that we see affixed on the document. The signature is the electronic record behind the image. Hence, a printed copy of the document is not valid as the digital signature cannot be authenticated.

This is true for all platforms and all digital signatures governed under the Electronic Transactions Act.

If I password protect the document, will it alter the electronic signature?

Yes, PDFs uploaded onto Signify cannot be password protected, as this will change the file and make the signature invalid.

What is Signify?

Signify is a Singapore government product to allow agencies to collect Sign with Singpass signatures on documents.

Who can use Signify?

The documents can be sent to anyone with a Singpass account for signing.

Is there any cost to using Signify?

No, there is no cost. Signify is free of charge.

Is there any onboarding required to use Signify? Do I need to be whitelisted?

What is the advantage of Sign with Singpass signatures?

As we are unable to provide legal advice, please consult your agency legal department for legal advice on Secure Electronic Signatures and the Electronic Transactions Act.

Can the signatory contact the document owner?

Yes. When the owner sends the link to them, there is an email address included in the email.

Can I use without Singpass app?

Currently no as it is required for Sign with Singpass to get secure electronic signatures.

Is Corppass signing supported?

Unfortunately no as there are no Corppass certificates available yet. The individual can still represent the organisation to sign. You could consider adding a line on the document itself which says Company Representative under the signature.

Where is the data hosted?

The data is hosted in Singapore.

API Documentation

This page is meant for developers, vendors, and IT administrators to understand how to generate the bearer token to access our API to create documents for signing.

Bearer Token & API Key Generation

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. Signify uses bearer authentication.

To generate the token, click on "API Integration" in the navigation bar. From there, click on Generate API key and copy the token. Use this key to start using Signify's API.

Authentication

Signify's API uses API Key for authentication. User can view and manage API Keys in Signify API Dashboard.

Production secret keys will have production_v1_version prefix.

Authentication to the API is performed via bearer auth.

Sample CURL request:

curl -X POST "https://app.signify.gov.sg/public/v1/documents" \
  -H 'Authorization: Bearer <API_KEY>' \
  -H 'Content-Type: multipart/form-data' \
  -F 'documentName=Testing API' \
  -F 'recipients=[{"email":"<EMAIL_1>","requiredSignatures":[{"page":1, "positionX":0.1, "positionY":0.2}, {"page":1, "positionX":0.2, "positionY":0.3}], "customMessage": "Please sign on Page 3."},{"email":"<EMAIL_2>","requiredSignatures":[{"page":1, "positionX":0.5, "positionY":0.5}]}]' \
  -F 'file=@"<FILE_PATH>"'

All API requests must be made over HTTPS. Calls made over plain HTTP will fail and requests without authentication will also fail.

Errors

Signify API uses conventional API Error to indicate the success or failure of an API request.

{
  "message": "Unauthorized"
}

Rate Limits

For all of Signify's APIs, Signify allows up to 100 requests per 10 seconds (subject to change).

Endpoints

Create Document

POST /v1/documents

Content type

The request must be of type multipart/form-data.

Signing modes

We support two modes of signing invitation: (1) signing by email and (2) signing by link.

• In signing by email, the API caller supplies the email addresses of the signatories, and an email invite is sent out by Signify to the signatories to sign the document.

• In signing by link, no email addresses are supplied by the API caller. Signing links are returned to the API caller, who can then redirect their users to the signing link.

The signing mode is specified in the documentMode property of the request body.

Signing by Email

The mandatory fields in request body are:

1. documentName - the document name

2. recipients - an array of {email: string, totalSignatures: number, customMessage?: string}

3. file - the file binary

The optional fields in the request body are:

1. documentMode - For signing by email, you may specify this to be email. If not specified, this will default to email.

Sample CURL request:

curl -X POST "https://app.signify.gov.sg/public/v1/documents" \
  -H 'Authorization: Bearer <API_KEY>' \
  -H 'Content-Type: multipart/form-data' \
  -F 'documentName=Testing API' \
  -F 'recipients=[{"email":"<EMAIL_1>","totalSignatures":1, "customMessage": "Please sign on Page 3."},{"email":"<EMAIL_2>","totalSignatures":1}]' \
  -F 'file=@"<FILE_PATH>"'

Returns:

{
    "documentId": 20
}

Explanation of fields returned:

Signing by Link

The mandatory fields in request body are:

1. documentName - the document name

2. totalSignaturesByLink - a length 1 array of {totalSignatures: number}

3. file - the file binary

4. documentMode - this must be specified as link

Sample CURL request:

curl -X POST "https://app.signify.gov.sg/public/v1/documents" \
  -H 'Authorization: Bearer <API_KEY>' \
  -H 'Content-Type: multipart/form-data' \
  -F 'documentName="Document 1"' \
  -F 'totalSignaturesByLink="[{\"totalSignatures\":3}]"' \
  -F 'documentMode="link"' \
  -F 'file=@"<FILE_PATH>"'

Returns:

{
    "documentId": "3",
    "signingLinks": [
        {
            "signingLink": "https://app.signify.gov.sg/documents/sign/01hfk78xjafvn9n8xn084a9rsn",
            "totalSignatures": 3
        }
    ]
}

Explanation of fields returned:

Get Single Document

GET /v1/documents/:id

Sample CURL request:

curl -X GET "https://app.signify.gov.sg/public/v1/documents/6" \
  -H 'Authorization: Bearer <API_KEY>'

Returns:

For signing by email:

{
    "id": 6,
    "documentName": "Document 1",
    "documentUrl": "https://app.signify.gov.sg/api/v1/bucket/01hfkatk5tc2mgxq1wefhyn52d",
    "expiresAt": "2023-12-19T15:59:59.999Z",
    "createdAt": "2023-11-19T08:23:20.488Z",
    "status": "draft",
    "signingInvitations": [
        {
            "signatory": "email1@open.gov.sg",
            "totalSignatures": 3,
            "status": "draft",
            "completedSignatures": []
        },
        {
            "signatory": "email2@open.gov.sg",
            "totalSignatures": 1,
            "status": "signed",
            "completedSignatures": [
                {
                    "name": "MY NAME",
                    "timeStamp": "2023-11-19T08:31:36.000Z"
                }
            ]
        }
    ],
    "documentMode": "email"
}

For signing by link:

{
    "id": 313,
    "documentName": "Document 1",
    "documentUrl": "https://app.signify.gov.sg/api/v1/bucket/01hfna3nxdxf9nzvev5hw7aaf1",
    "expiresAt": "2023-12-20T15:59:59.999Z",
    "createdAt": "2023-11-20T02:49:17.105Z",
    "status": "signed",
    "signingInvitations": [
        {
            "signingLink": "https://app.signify.gov.sg/documents/sign/01hfna3p1f095s5aqph2dsjr07",
            "totalSignatures": 3,
            "status": "signed",
            "completedSignatures": [
                {
                    "name": "MY NAME",
                    "timeStamp": "2023-11-20T02:49:37.000Z"
                },
                {
                    "name": "MY NAME",
                    "timeStamp": "2023-11-20T02:50:00.000Z"
                },
                {
                    "name": "MY NAME",
                    "timeStamp": "2023-11-20T02:53:04.000Z"
                }
            ]
        }
    ],
    "documentMode": "link"
}

Explanation of fields returned:

Delete Document

DELETE /v1/documents/:id

Sample CURL request:

curl -X DELETE "https://app.signify.gov.sg/public/v1/documents/6" \
  -H 'Authorization: Bearer <API_KEY>'

Returns:

{
    "message": "Document deleted"
}

Is there a limit to how many individual signers you can have?

Each document can have up to 30 signatures on it.

There is no limit on how many documents you can send out for signing. However, 1 signature using Signify can apply to the entire document. Hence it may be worthwhile changing processes (such as having 1 signature on each page).

Can we have repeated email addresses?

There cannot be duplicated email addresses.

Can my signatory sign on Signify if they do not have a Singpass account?

If a signature is made without a valid certificate under the ETA (e.g. if the signatory simply used an e-pen to sign digitally), this does not have the effect of a Secure Electronic Signature.

Can we stop the signing process once there are enough signers?

Currently, Signify's workflow is meant for every signer you sent out to sign. As a workaround, once you have enough signatures, you may download the in-progress document and then delete it on the dashboard so no one else can sign.

Will we be able to save the document?

Can the admin be one of the signees

Yes.

Can the document be in other formats other than PDF?

No it must be in PDF, hence you need to convert it to PDF.

Can we have both email and link modes in one workflow?

This is currently not possible.

Is a timestamp included?

Yes the timestamp is included as part of the signature.

What information do we get from signees?

The full name, last 4 characters of NRIC and timestamp of signature.

Can the signature box be resized?

Currently no as the Sign with Singpass signature follows a standard specification.

Can you support other types of signatures (e.g. deed stamp?)

It is currently not possible.

Can I password protect documents?

It is not possible as this modifies the document and its validity.

Is it possible for my document recipient to sign multiple pages at once?

This is not possible as Singpass only allows signing one at a time. As a Sign with Singpass signature is applied to the entire document, do consider making changes to your document to require less signatures. You may also clearly explain to the signer (verbally and/or within document) that by providing the signature, they are acknowledging that they have read and agreed to all the contents of the document.

The signer has sent me a document directly! Is this valid?

Completed signatures will be sent by Signify from donotreply@mail.postman.gov.sg instead.

In this case, our suggestion is to have clearer instructions to the signer via your personalised messages or uploaded document that you will only accept Singpass signatures.

The main difference compared to API version 1 is that users can now create documents with fixed signature locations in POST v2/documents.

API Documentation

This page is meant for developers, vendors, and IT administrators to understand how to generate the bearer token to access our API to create documents for signing.

Bearer Token & API Key Generation

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. Signify uses bearer authentication.

To generate the token, click on "API Integration" in the navigation bar. From there, click on Generate API key and copy the token. Use this key to start using Signify's API.

Authentication

Signify's API uses API Key for authentication. User can view and manage API Keys in Signify API Dashboard.

Production secret keys will have production_v1_version prefix.

Authentication to the API is performed via bearer auth.

Sample CURL request:

curl -X POST "https://app.signify.gov.sg/public/v1/documents" \
  -H 'Authorization: Bearer <API_KEY>' \
  -H 'Content-Type: multipart/form-data' \
  -F 'documentName=Testing API' \
  -F 'recipients=[{"email":"<EMAIL_1>","requiredSignatures":[{"page":1, "positionX":0.1, "positionY":0.2}, {"page":1, "positionX":0.2, "positionY":0.3}], "customMessage": "Please sign on Page 3."},{"email":"<EMAIL_2>","requiredSignatures":[{"page":1, "positionX":0.5, "positionY":0.5}]}]' \
  -F 'file=@"<FILE_PATH>"'

All API requests must be made over HTTPS. Calls made over plain HTTP will fail and requests without authentication will also fail.

Errors

Signify API uses conventional API Error to indicate the success or failure of an API request.

{
  "message": "Unauthorized"
}

Rate Limits

For all of Signify's APIs, Signify allows up to 100 requests per 10 seconds (subject to change).

Endpoints

Create Document

POST /v2/documents

Content type

The request must be of type multipart/form-data.

Signing modes

We support two modes of signing invitation: (1) signing by email and (2) signing by link.

• In signing by email, the API caller supplies the email addresses of the signatories, and an email invite is sent out by Signify to the signatories to sign the document.

• In signing by link, no email addresses are supplied by the API caller. Signing links are returned to the API caller, who can then redirect their users to the signing link.

The signing mode is specified in the documentMode property of the request body.

Both signing modes require the API caller to specify the location of the signature placeholders.

Signing by Email

The mandatory fields in request body are:

1. documentName - the document name

2. recipients - an array of {email: string, requiredSignatures: requiredSignature[], customMessage?: string}

3. file - the file binary

The optional fields in the request body are:

1. documentMode - For signing by email, you may specify this to be email. If not specified, this will default to email.

2. redirectUrl - Signify will redirect to this redirectUrl upon completion of signing (by each email receipient). Only URLs with a https protocol, and a .gov.sg domain will be accepted.

How to obtain positionX and positionY:

One way to obtain positionX and positionY is to

3. Use these values in your API call

Sample CURL request:

curl -X POST "https://app.signify.gov.sg/public/v2/documents" \
  -H 'Authorization: Bearer <API_KEY>' \
  -H 'Content-Type: multipart/form-data' \
  -F 'documentName=Testing API' \
  -F 'recipients=[{"email":"<EMAIL_1>","requiredSignatures":[{"page":1, "positionX":0.1, "positionY":0.2}, {"page":1, "positionX":0.2, "positionY":0.3}], "customMessage": "Please sign on Page 3."},{"email":"<EMAIL_2>","requiredSignatures":[{"page":1, "positionX":0.5, "positionY":0.5}]}]' \
  -F 'file=@"<FILE_PATH>"'

Returns:

{
    "documentId": 20
}

Explanation of fields returned:

Signing by Link

The mandatory fields in request body are:

1. documentName - the document name

2. totalSignaturesByLink - a length 1 array of {requiredSignatures: requiredSignature[]}

3. file - the file binary

4. documentMode - this must be specified as link

The optional fields in the request body are:

1. redirectUrl - Signify will redirect to this redirectUrl upon completion of signing. Only URLs with a https protocol, and a .gov.sg domain will be accepted.

How to obtain positionX and positionY:

One way to obtain positionX and positionY is to

3. Use these values in your API call

Sample CURL request:

curl -X POST "https://app.signify.gov.sg/public/v2/documents" \
  -H 'Authorization: Bearer <API_KEY>' \
  -H 'Content-Type: multipart/form-data' \
  -F 'documentName="Document 1"' \
  -F 'totalSignaturesByLink="[{"requiredSignatures": [{"page": 1, "positionX": 0, "positionY": 0}, {"page": 2, "positionX": 0.2, "positionY": 0.3}]} \
  -F 'documentMode="link"' \
  -F 'file=@"<FILE_PATH>"'

Returns:

{
    "documentId": "3",
    "signingLinks": [
        {
            "signingLink": "https://app.signify.gov.sg/documents/sign/01hfk78xjafvn9n8xn084a9rsn",
            "totalSignatures": 2
        }
    ]
}

Explanation of fields returned:

Get Documents

GET /v2/documents

Sample CURL request:

curl -X GET "https://app.signify.gov.sg/public/v2/documents" \
  -H 'Authorization: Bearer <API_KEY>'

Returns:

[
    {
        "id": 3,
        "documentName": "Document 1",
        "expiresAt": "2023-12-19T15:59:59.999Z",
        "createdAt": "2023-11-19T07:21:14.065Z",
        "status": "draft",
        "documentMode": "link"
    },
    {
        "id": 4,
        "documentName": "Document 2",
        "expiresAt": "2023-12-19T15:59:59.999Z",
        "createdAt": "2023-11-19T07:22:21.272Z",
        "status": "draft",
        "documentMode": "email"
    },
    {
        "id": 5,
        "documentName": "Document 3",
        "expiresAt": "2023-12-19T15:59:59.999Z",
        "createdAt": "2023-11-19T08:23:07.277Z",
        "status": "draft",
        "documentMode": "email"
    }
]

Explanation of fields returned:

Get Single Document

GET /v2/documents/:id

Sample CURL request:

curl -X GET "https://app.signify.gov.sg/public/v2/documents/6" \
  -H 'Authorization: Bearer <API_KEY>'

Returns:

For signing by email:

{
    "id": 6,
    "documentName": "Document 1",
    "documentUrl": "https://app.signify.gov.sg/api/v1/bucket/01hfkatk5tc2mgxq1wefhyn52d",
    "expiresAt": "2023-12-19T15:59:59.999Z",
    "createdAt": "2023-11-19T08:23:20.488Z",
    "status": "draft",
    "signingInvitations": [
        {
            "signatory": "email1@open.gov.sg",
            "totalSignatures": 3,
            "status": "draft",
            "completedSignatures": []
        },
        {
            "signatory": "email2@open.gov.sg",
            "totalSignatures": 1,
            "status": "signed",
            "completedSignatures": [
                {
                    "name": "MY NAME",
                    "timeStamp": "2023-11-19T08:31:36.000Z"
                }
            ]
        }
    ],
    "documentMode": "email"
}

For signing by link:

{
    "id": 313,
    "documentName": "Document 1",
    "documentUrl": "https://app.signify.gov.sg/api/v1/bucket/01hfna3nxdxf9nzvev5hw7aaf1",
    "expiresAt": "2023-12-20T15:59:59.999Z",
    "createdAt": "2023-11-20T02:49:17.105Z",
    "status": "signed",
    "signingInvitations": [
        {
            "signingLink": "https://app.signify.gov.sg/documents/sign/01hfna3p1f095s5aqph2dsjr07",
            "totalSignatures": 3,
            "status": "signed",
            "completedSignatures": [
                {
                    "name": "MY NAME",
                    "timeStamp": "2023-11-20T02:49:37.000Z"
                },
                {
                    "name": "MY NAME",
                    "timeStamp": "2023-11-20T02:50:00.000Z"
                },
                {
                    "name": "MY NAME",
                    "timeStamp": "2023-11-20T02:53:04.000Z"
                }
            ]
        }
    ],
    "documentMode": "link"
}

Explanation of fields returned:

Delete Document

DELETE /v2/documents/:id

Sample CURL request:

curl -X DELETE "https://app.signify.gov.sg/public/v2/documents/6" \
  -H 'Authorization: Bearer <API_KEY>'

Returns:

{
    "message": "Document deleted"
}

Will the signer receive a copy of the document?

Yes, the document will be available for download 30 days before it is removed.

What data can be seen in the document?

In the signature, your full name will be recorded. In the embedded signing certificate, the last four characters of NRIC will also be embedded in the document.

Can someone sign on a person's behalf?

Yes, if the signer is legally authorised to sign on behalf of another person. The signer would use his own Singpass account to sign, similar to what he would do for wet ink signature.

Can I sign on Signify without Singpass?

How long will documents be available for download for signee?

If the document is not deleted by the admin through the platform or APIs, they will be available for 30 days after all signatories have signed the document.

Can more than 1 person sign at the same time?

While the invitation to sign can be sent to more than 1 person, only one person can sign at a given time. There will be an error message that pops up to try again later if a signing session is ongoing.

Is bulk signing possible?

This is not supported at the Sign with Singpass protocol does not allow signing on multiple documents or place multiple signatures at a time yet. If this is made possible in future, we will also consider!

When signee receives the email to sign via email, which email do they see?

The email address mentioned will be the email address that generated the API key.

Can Signify provide progress of the workflow?

You may use the "Get Single Document" API which will include expiry dates, document status, signees signing statuses.

Signature is invalid: there are errors in the formatting or information contained in this signature

It is likely the intranet has a firewall which does "Content disarm and reconstruction (CDR)". When the file goes through the firewall, the firewall processes and rewrites the content in what it considers to be a "safer format". However, that unfortunately modifies the Singpass signature and renders it invalid. You may need to ask your IT department to help with this, and either disable the CDR functionality for such pdf files, or else update their CDR code so that it does not modify Singpass signatures in PDF files.

How to get the X & Y coordinates through Signify's APIs?

You can create the document using our UI and inspect the network call.

If you experience issues uploading PDF

If you experience errors uploading the PDF, the PDF might have been generated using an older version of PDF that cannot be signed.

To fix this, you will need to regenerate the PDF file. One way to do so is to open the PDF file in Chrome, click on Print, and then Save as PDF. This will fix any issues.

Example: Open and Print a PDF using Edge/Chrome

Step 1: Open the file in Chrome and click on Print

Alternatively, you can also re-save the original .doc file using a newer version of Microsoft Word.

Why are my signatures rotated?

A possible reason is that the document was actually scanned / created in landscape first, and then rotated 90 degrees in Adobe Acrobat. There is a limitation currently in the Signify application that cannot handle this setup. To fix this, please re-scan the document in portrait A4.