NemLog-In Signing Service

Test mode enabled: You can upload and sign a PDF directly to verify the NemLog-In integration.

Signing Flow

Get correlation ID — GET /sign?action=getcid to verify the service is running.
Initiate signing — GET /sign?action=sign with the PDF URI, forward URL, and hash. The service fetches the PDF and presents the NemLog-In signing iframe.
Signing completes — NemLog-In posts the result to POST /signing-result (handled internally).
Redirect back — The user is redirected via GET /sign?action=result (or action=cancel) to the original forward URL with the signed filename.
Download signed PDF — GET /sign?action=download to retrieve the signed document.

GET /sign?action=getcid

Health check. Returns a unique correlation ID to confirm the service is running.

curl https://sign.example.com/sign?action=getcid

{"cid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}

GET /sign?action=sign

Initiate document signing. Fetches the PDF, generates a signing payload, and renders the NemLog-In signing iframe.

Name	Type	Description
`uri`	string	Base64-encoded URL of the PDF to sign.
`forward_url`	string	Base64-encoded URL to redirect to after signing.
`hash`	string	SHA-1 HMAC: `sha1(salt + forward_url)` for request validation.

curl "https://sign.example.com/sign?action=sign&uri=BASE64_PDF_URL&forward_url=BASE64_CALLBACK&hash=SHA1_HASH"

HTML page with the NemLog-In signing iframe (not a JSON response).

GET /sign?action=result

Called after signing completes. Redirects (302) to the forward URL stored in the session, appending the filename and action.

Name	Type	Description
`file`	string	Signed document filename (32-char hex + `.pdf`).

HTTP/1.1 302 Found
Location: https://forms.example.com/callback?file=abc123...def.pdf&action=result

action=cancel works identically but appends &action=cancel to the redirect URL.

GET /sign?action=download

Download the signed PDF. By default the file is deleted from the server after download.

Name	Type	Description
`file`	string	Signed document filename (must match `^[a-z0-9]{32}\.pdf$`).
`leave`	string	`0` = delete after download (default), `1` = keep file on server.

curl -O "https://sign.example.com/sign?action=download&file=abc123...def.pdf&leave=0"

Binary PDF stream with Content-Type: application/pdf.

POST /signing-result

Internal callback from the NemLog-In signing iframe. Not called directly by API consumers.

Name	Type	Description
`type`	string	`signedDocument`, `errorResponse`, or `cancelSign`.
`result`	string	Signed document content or error details from NemLog-In.
`name`	string	Document filename.
`format`	string	Signature format (e.g. `PAdES`).
`correlationId`	string	Correlation ID for tracing.

All errors are returned as JSON with HTTP 200:

{
  "error": true,
  "message": "Description of what went wrong",
  "code": 0
}

Hash validation — Every sign request requires a SHA-1 hash computed as sha1(salt + forward_url). The salt is configured server-side.
Domain whitelisting — Both PDF source URLs and forward URLs are validated against an allowlist of domains.
Filename validation — Download filenames must match ^[a-z0-9]{32}\.pdf$.
Session-based state — Forward URLs are stored in the HTTP session, not in client-visible cookies or parameters.