This chapter explains how to configure the REST connection in the SIGNATUS settings, under the section “Download using REST channel”.
2.1 Login with basic authentication and cookies #
Login and Authentication #
Login is required to enable cookie-based authentication.
- With login URL configured:
- The login operation is the first step in communication with the server.
- The request includes the username and password in the Basic Authentication header.
- The server responds with a cookie.
- This cookie is then sent in the header of all subsequent requests.
- (Android version only) Without login URL configured:
- If only the list URL is configured, Basic Authentication is used instead.
- In this case, the username and password are sent in the Basic Authentication HTTP header with each request.
- The credentials are used directly for business-related operations (e.g., list of documents, document download, document upload).
| URL | Configured in “REST login URL” setting Example: https://<host name>/<context>/api/login |
| Method | GET |
| Headers | username and password (values configured in the settings or entered by the user when prompted) |
| Response | HTTP 200 OK: Server responds with an authentication cookie. This cookie should be used in all subsequent requests to the server HTTP 403 Forbidden: Invalid credentials |
2.2 Login with Open ID Connect (Android version only) #
If the channel settings specify a non-empty Token URL, the system uses the OpenID Connect Authorization Code Flow. (See the OpenID Connect specification for details.)
User Authentication
- The login URL (the “authorization endpoint” in OpenID Connect terminology) is opened in a web browser.
- The user authenticates using any method supported by the authorization server.
Authorization Code Retrieval
- After successful authentication, the authorization server redirects the browser to the specified
redirect_uri. - This redirect includes an authorization code as a URL parameter.
Access Token Request
- SIGNATUS exchanges the authorization code for an access token.
- This is done via an HTTP
POSTrequest to the configured Token URL. - The server responds with an access token (and optionally a refresh token).
Access Token Usage
- The access token is included in the Authorization header of all subsequent API requests.
Token Renewal
- If the token response contains a refresh token, it is used to obtain a new access token.
- The refresh occurs automatically when the access token is close to expiring or has already expired.
2.3 List of documents #
List is used to browse the download channel. It returns either:
- a list of documents available for download, or
- a list of folders that contain documents.
| URL | Configured in “REST list URL” setting (for the root folder) or returned in the “url” property (for a subfolder) Example: https://<host name>/<context>/rest/list/flat |
| Method | GET |
| Response | HTTP 200 OK: JSON array of objects, each object represents one document or folder. HTTP 403 Forbidden: Invalid credentials |
The List request returns a JSON object from the server.
Based on the data in this object, the SIGNATUS application generates a list of documents.
The JSON response includes the following properties:
| filename | name of the item to be displayed to the user |
| id | unique identification of the document (used to send acknowledgments) |
| url | link to download (for document) or to list the contents (for subfolder) |
| other | any other custom properties that will form the document metadata and will be sent back to the server when the document is uploaded after signing |
Example response showing a list of documents:
[
{
"filename": "contract.pdf",
"id": "123456789abcde"
"url": "https://...?id=123456789abcde",
"customerNamename": "custom metadata",
"contractNumbernumber": "123456",
"state": "tosign"
},
{
"filename": "test.pdf",
...
]
Example response showing a list of folders:
[
{
"filename": "customer1_case1",
"id": "2468abcd"
"url": "https://...?id=2468abcd",
"type": "F",
"customerNamename": "customer1",
"caseNumbernumber": "case1",
"signedCount": 1,
"totalCount": 2
},
{
"filename": "customer1_case2",
...
]
2.4 Download document #
Download is triggered when the user selects a document from the list.
The SIGNATUS application then retrieves the PDF file using the URL provided in the JSON response of the List request.
| URL | Value of the “url” property from the list of documents Example: /rest/document/<document id> |
| Method | GET |
| Response | HTTP 200 OK: Binary stream with the content of the respective document HTTP 403 Forbidden: Unauthorized access |
2.5 State acknowledgment #
Acknowledge is used to notify the server about important events related to a document.
For example, after a document has been successfully downloaded to a device, the application sends an acknowledge message to the server.
This allows the server to update the document’s state (e.g., mark it as “in progress”) and prevent it from being offered for download to other users.
| URL | Configured in “REST ACK URL” setting Example: /rest/state |
| Method | POST |
| Request body | Parameters encoded using the “multipart/form-data” encoding |
| Response | HTTP 200 OK: State change successfully processed on the server HTTP 403 Forbidden: Unauthorized access |
The request body parameters:
| id | identification of the document |
| state | “download” = the document has been downloaded “open” = the document has been opened on the tablet “cancel” = signing of the document has been cancelled |