Signify can handle up to Restricted and Sensitive Normal data.

Released

Features

Signify currently offers the following features:

• Secure electronic signatures (read difference between OES and SES)

• End-to-end workflow to send out invitations and collect Sign with Singpass signatures

• Admin dashboard to track signatures

• Mobile support

• Multi-party collaborative signing on the same document

• Document filling/CSV upload ()

• Fixed signing locations

You can use Signify for any use cases that require Secure Electronic Signatures (SES).

Under the Electronics Transaction Act, the following are excluded:

1. The creation or execution of a will

2. The creation, performance or enforcement of an indenture, declaration of trust or power of attorney, with the exception of implied, constructive and resulting trusts and a lasting power of attorney defined under section 2(1) of the Mental Capacity Act 2008

3. Any contract for the sale or other disposition of immovable property, or any interest in such property

(source: )

Signify is a document hub that provides collaborative SES (secured electronic signing) capability in accordance with Electronic Transactions Act.

Signify is powered by Sign by Singpass where signing certificates are issued by the National Certification Authority. Signatures made using the Sign with Singpass will be regarded as secure electronic signatures under Singapore's Electronic Transactions Act. More details on Sign with Singpass are available on the Singpass website.

All government agencies, as well as public healthcare institutions in Singapore, can use Signify. It is currently used by over 100 government agencies and public healthcare institutions. You can log in with your agency email address at .

Signers can only access the signable document from a Singapore IP address.

Sign with Singpass signatures can be verified using the Adobe Acrobat Reader application. This should already be installed on your government devices. However, if you are verifying on a non-government device, please:

• download Adobe Acrobat Reader here

• load Singpass root signing certificates

Verifying signatures

Please follow the steps below to verify a Sign with Singpass signature.

1. Open up signed document on Adobe Acrobat Reader

2. Check if green tick with "Signed and all signatures are valid"

1. Go to signature panel

In signature panel, each signature should show:

• Document has not been modified

• Signer's identity is valid

• The signature includes an embedded timestamp

• Signature is long term validation (LTV) enabled

Document owner should "click to view this version" to visually inspect that the contents of the document version is signed correctly.

1. Click on each signature and inspect certificate

Go into signature properties

Show signer's certificate

Certificate should include the following:

• Singapore National Root CA - G1

• Singapore NDI Intermediate CA 1 - G2

• Signer's full name (as per NRIC)

Click the full name and then "details"

Check under subject that signer's name and last 4 characters of NRIC is correct.

When signee receives the email to sign via email, which email do they see?

The email address mentioned will be the email address that generated the API key.

Can Signify provide progress of the workflow?

You may use the "Get Single Document" API which will include expiry dates, document status, signees signing statuses.

Signature is invalid: there are errors in the formatting or information contained in this signature

It is likely the intranet has a firewall which does "Content disarm and reconstruction (CDR)". When the file goes through the firewall, the firewall processes and rewrites the content in what it considers to be a "safer format". However, that unfortunately modifies the Singpass signature and renders it invalid. You may need to ask your IT department to help with this, and either disable the CDR functionality for such pdf files, or else update their CDR code so that it does not modify Singpass signatures in PDF files.

How to get the X & Y coordinates through Signify's APIs?

You can create the document using our UI and inspect the network call.

Will the signer receive a copy of the document?

Yes, the document will be available for download 30 days before it is removed.

What data can be seen in the document?

In the signature, your full name will be recorded. In the embedded signing certificate, the last four characters of NRIC will also be embedded in the document.

Can someone sign on a person's behalf?

Yes, if the signer is legally authorised to sign on behalf of another person. The signer would use his own Singpass account to sign, similar to what he would do for wet ink signature.

Can I sign on Signify without Singpass?

No. Singpass is required. This is because the Electronic Transactions Act recognises signatures made using certificates issued by Accredited Certificate Authorities (CA) as . Sign with Singpass uses signing certificates issued by an accredited CA, Assurity.

How long will documents be available for download for signee?

If the document is not deleted by the admin through the platform or APIs, they will be available for 30 days after all signatories have signed the document.

Can more than 1 person sign at the same time?

While the invitation to sign can be sent to more than 1 person, only one person can sign at a given time. There will be an error message that pops up to try again later if a signing session is ongoing.

Is bulk signing possible?

This is not supported at the Sign with Singpass protocol does not allow signing on multiple documents or place multiple signatures at a time yet. If this is made possible in future, we will also consider!

If you experience issues uploading PDF

If you experience errors uploading the PDF, the PDF might have been generated using an older version of PDF that cannot be signed.

To fix this, you will need to regenerate the PDF file. One way to do so is to open the PDF file in Chrome, click on Print, and then Save as PDF. This will fix any issues.

Example: Open and Print a PDF using Edge/Chrome

Step 1: Open the file in Chrome and click on Print

This only applies to documents signed on 11 and 12 June 2025

The timestamp certificate proves that your document was signed at the stated time. In order to verify that the timestamp certificate in your downloaded document is valid, you might need to load in the timestamp root certificate.

To load it in, please follow the steps below:

1. Download the GlobalSign root certificate from here.

   1. If you're unable to access that link, please visit GlobalSign's CA repository and download the R6 GlobalSign Root Certificate.

2. In your folder that you have chosen, you should find the file root-r6.crt

3. Open Adobe PDF reader. If you do not have this, you may download and install .

4. Click "Acrobat Reader" on the top left.

5. Navigate to "Preferences"
6. Under Categories, find and click "Signatures".

7. Click "more" under Identities and Trusted Certificates.

8. Click on "Trusted Certificates"

9. Click Import

10. Under contacts, click "Browse" and choose the certificate you have downloaded in the earlier step.
11. Under certificates, click on GlobalSign and then click Trust
12. Check "Use this certificate as a trusted root" with a tick and press OK

1. Click on Import
2. You should now be able to see that the signature includes an embedded timestamp

All done!

Is there a limit to how many individual signers you can have?

Each document can have up to 30 signatures on it.

There is no limit on how many documents you can send out for signing. However, 1 signature using Signify can apply to the entire document. Hence it may be worthwhile changing processes (such as having 1 signature on each page).

What is Signify?

Signify is a Singapore government product to allow agencies to collect Sign with Singpass signatures on documents.

Who can use Signify?

In order to verify if a Sign with Singpass signature is valid, see here.

Before that, the Singpass root signing certificates must be installed on your device. If you do not have the Singpass root signing certificates on your device, please follow the steps below.

1. There are 2 Singpass root signing certificates that you should download.

   1. Go to IMDA's and download Root CA: Singapore National Root CA - G1 Certificate.

      In your folder that you have chosen, you should find the file SNRCA-G1.cer.

   2. Download the GovTech Root CA - B1 Certificate

1. Open Adobe PDF reader. If you do not have this, you may download and install .

1. Click "Acrobat Reader" on the top left.

1. Navigate to "Preferences"

1. Under Categories, find and click "Signatures".

1. Click "more" under Identities and Trusted Certificates.

1. Click on "Trusted Certificates"

1. Click Import

1. Under contacts, click "Browse" and choose the certificates you have downloaded in earlier step.

1. Under certificates, click on Singapore National Root CA - G1 and then click Trust

1. Check "Use this certificate as a trusted root" with a tick and press OK

1. Click on Import

You should now be able to see Singapore National Root CA - G1 under your Trusted Certificates.

Repeat the same steps for the 2nd root certificate. At the end of the steps, you should be able to see Singapore National Root CA - B1 under your Trusted Certificates

1. Enable certification revocation checking This can be found under preferences > signatures > verification

All done!

With docCentral, admins can create custom Signify documents through 2 ways:

1. FormSG collected data

2. uploaded CSV of data rows

Are the signatures authentic?

Yes. The signature is signed using Sign with Singpass. The signing certificates are issued by Assurity, an Accredited Certificate Authority under the Electronic Transactions Act (2010), and signatures made using Sign with Singpass are recognised as Secure Electronic Signatures.

How to verify signatures?

You can refer to on verifying signatures. Please ensure that the agency you are sending to does not modify the file in transit (content disarm and reconstruction).

"Certificate validity is unknown"?

If you see "Certificate validity is unknown", this is because you do not have the Singpass root signing certificate on your device. Please refer to this to install the Singpass root signing certificate.

Can the signed document be edited?

After a document has been signed, if there are any edits made, there will be a warning that the signed document has been edited after it was signed, when you open the file in Adobe PDF reader.

You will also be able to see the exact copy of the document that was signed, before the changes were made.

Will the signature expire?

Signatures do not expire. Documents are signed by Signify using the PDF Advanced Electronic Signatures Long-Term Validation (PAdES-LTV) standard.

If a signer migrates, will the signature still be valid?

Yes. The document can be traced back to the signer.

What is the difference between Signify and FormSG + Singpass?

Signing in through Singpass on FormSG only provides Ordinary Electronic Signatures (OES) and not Secure Electronic Signatures (SES).

Difference between Secure Electronic Signatures and Ordinary Electronic Signatures?

Ordinary Electronic Signatures (OES) is a broad category that refers to electronic signatures that are not SES.

The key difference between a secure electronic signature and an ordinary electronic signature is that while both are accorded legal effect under the ETA, only secure electronic signatures are accorded the following presumptions:

• It is the signature of the person to whom it correlates;

• It is affixed by that person with the intention of signing or approving the electronic record; and

• It is authentic and has integrity.

Login with Singpass in Signify provides proof of identity, since the login is verified against his Singpass account.

These presumptions are important in disputes over the validity of electronic signatures, as they will automatically apply for secure electronic signatures. The disputing party will then have to adduce evidence to the contrary if it is claiming that the electronic signature is not valid.

If I print the document out, does the document still hold legal effect?

A digital signature consists of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can accurately determine whether the:

1. transformation was created using the private key that corresponds to the signer’s public key and

2. if the initial electronic record has been altered since the transformation was made.

The digital signature is not the picture that we see affixed on the document. The signature is the electronic record behind the image. Hence, a printed copy of the document is not valid as the digital signature cannot be authenticated.

This is true for all platforms and all digital signatures governed under the Electronic Transactions Act.

If I password protect the document, will it alter the electronic signature?

Yes, PDFs uploaded onto Signify cannot be password protected, as this will change the file and make the signature invalid.

The main difference compared to API version 1 is that users can now create documents with fixed signature locations in POST v2/documents.

API Documentation

This page is meant for developers, vendors, and IT administrators to understand how to generate the bearer token to access our API to create documents for signing.

Bearer Token & API Key Generation

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. Signify uses bearer authentication.

To generate the token, click on "API Integration" in the navigation bar. From there, click on Generate API key and copy the token. Use this key to start using Signify's API.

Authentication

Signify's API uses API Key for authentication. User can view and manage API Keys in Signify API Dashboard.

Production secret keys will have production_v1_version prefix.

Authentication to the API is performed via bearer auth.

Sample CURL request:

All API requests must be made over HTTPS. Calls made over plain HTTP will fail and requests without authentication will also fail.

Errors

Signify API uses conventional API Error to indicate the success or failure of an API request.

Rate Limits

For all of Signify's APIs, Signify allows up to 100 requests per 10 seconds (subject to change).

Endpoints

Create Document

POST /v2/documents

Content type

The request must be of type multipart/form-data.

Signing modes

We support two modes of signing invitation: (1) signing by email and (2) signing by link.

• In signing by email, the API caller supplies the email addresses of the signatories, and an email invite is sent out by Signify to the signatories to sign the document.

• In signing by link, no email addresses are supplied by the API caller. Signing links are returned to the API caller, who can then redirect their users to the signing link.

The signing mode is specified in the documentMode property of the request body.

Both signing modes require the API caller to specify the location of the signature placeholders.

Signing by Email

The mandatory fields in request body are:

1. documentName - the document name

2. recipients - an array of {email: string, requiredSignatures: requiredSignature[], customMessage?: string}

3. file - the file binary

The optional fields in the request body are:

1. documentMode - For signing by email, you may specify this to be email. If not specified, this will default to email.

2. redirectUrl - Signify will redirect to this redirectUrl upon completion of signing (by each email receipient). Only URLs with a https protocol, and a .gov.sg domain will be accepted.

How to obtain positionX and positionY:

One way to obtain positionX and positionY is to

1. Create a document via Signify web

2. Inspect the network call to , extract positionX and positionY from the payload

3. Use these values in your API call

Sample CURL request:

Returns:

Explanation of fields returned:

Signing by Link

The mandatory fields in request body are:

1. documentName - the document name

2. totalSignaturesByLink - a length 1 array of {requiredSignatures: requiredSignature[]}

3. file - the file binary

The optional fields in the request body are:

1. redirectUrl - Signify will redirect to this redirectUrl upon completion of signing. Only URLs with a https protocol, and a .gov.sg domain will be accepted.

How to obtain positionX and positionY:

One way to obtain positionX and positionY is to

1. Create a document via Signify web

2. Inspect the network call to , extract positionX and positionY from the payload

3. Use these values in your API call

Sample CURL request:

Returns:

Explanation of fields returned:

Get Documents

GET /v2/documents

Sample CURL request:

Returns:

Explanation of fields returned:

Get Single Document

GET /v2/documents/:id

Sample CURL request:

Returns:

For signing by email:

For signing by link:

Explanation of fields returned:

Delete Document

DELETE /v2/documents/:id

Sample CURL request:

Returns: