Build the request yourself

Open format

Host a single HTTPS endpoint on your server. The signing app receives its URL as the request_url query parameter and calls it with GET, HEAD, and POST.

Endpoint contract

HEAD — probe the endpoint. Respond with Content-Type: application/pdf and header X-Sigilla-IoSigno-Type: request. We do not validate magic bytes or parse the PDF on HEAD.

GET — return the PDF bytes for the signer to review.

POST — receive the detached signature as a binary body. Respond with 303 on success with a Location header containing the URL the signer must be redirected to after the signature succeeds, or 400 with a plain-text error message shown verbatim to the signer. We may send an optional Accept-Language header to help you localize the message — do not assume it is always present.

Paste the endpoint URL in the create flow to generate your signing QR.

Security and responsibilities

When self-hosting, you are responsible for validating all incoming POST requests — data validation, signature validity, expiration checks, user certificate validation, and any business rules. The POST URL is reachable over HTTPS: anyone can call it with arbitrary data. Treat every request as untrusted.

That's the entire integration. The signing app accepts any endpoint you host yourself.