Advanced Electronic Signature (AES)
Start here
This guide presents a technical overview of our Advanced Electronic Signature solution, available for integration through Workflow Studio.
To enable Advanced Electronic Signature on your account, you will need to contact your Customer Success Manager or Account Executive. Alternatively, contact Entrust's Customer Support.
Introduction
Advanced Electronic Signature (AES) is a secure method of digital signing that ensures the integrity, authenticity and legal admissibility of electronic documents.
AES helps organisations meet numerous regulatory requirements while providing a secure and user-friendly signing experience. The combination of document verification, biometric checks, and sealed evidence files ensures a high level of trust and integrity in the signing process when compared to standard electronic signatures.
The solution is compliant with a variety of worldwide digital signature standards, including the EU's eIDAS regulation, Switzerland's ZertES and the UK's post-Brexit eIDAS regulation. These regulatory frameworks define AES based on criteria such as being uniquely linked to the signer, capable of identifying the signer and created using signature creation data under the signer's sole control.
To learn more about our AES solution, see our eIDAS AES for Customer Onboarding page.
Please note: This product guide on AES is provided for general informational purposes and does not constitute legal advice. The content herein is not a substitute for professional legal counsel. It is intended to provide a high-level overview of how the product functions from a technical and operational perspective. Customers are encouraged to consult their own legal advisors to ensure that any use of electronic signing products complies with applicable laws and meets their specific requirements.
Advanced Electronic Signature request and verification tasks
For lower assurance or low-risk documents where advanced identity verification (document + biometric) is not required, you can instead use a Simple Electronic Signature (SES) workflow. SES offers a lighter-weight signing experience and can be combined with less rigorous identity verification steps (for example, only a live selfie capture). See the Verify E-Signature (SES) task section of the Studio product guide for more details.
To combine AES with document and biometric identity verification, two dedicated AES tasks should be added to a Studio workflow in the Workflow Builder - a Request e-signature (SES/AES) task and a Verify e-signature (AES) task.
When building an AES workflow in Studio, a document to be signed by an applicant during the verification flow must be supplied as custom input data when creating a workflow run. The signing document can be provided in two ways:
- By passing a publicly accessible URL that links to the PDF document to be signed.
- By uploading a private signing document via the API and passing its
id.
To satisfy compliance regulations, it is essential that the identity of the signer be verified, meaning the workflow must also contain a Document Report and a Facial Similarity Report.
The Request e-signature (SES/AES) task controls user interaction where the applicant reviews and digitally signs the document. Once a document is signed, the signatory details, the workflow run id and the document id are added to the transaction to serve as signature evidence.
The Verify e-signature (AES) task confirms the integrity and successful completion of an AES transaction. As task inputs, it takes the transaction ID of the Request e-signature (SES/AES) task and data from the Document report and the biometric report tasks. The report task creates a sealed tamper-proof transaction receipt, that refers to the hash of the signed file, the signature placed, the signatory details, the document ID, the workflow run ID and applicant ID, and timestamps of all interactions of the signer with the file. The verification task securely stores the signed documents to ensure their integrity and confidentiality, enabling controlled access for file download and retrieval.
An example of a combination document and biometric verification with AES workflow
Supplying documents to e-signature workflows
You can supply signing documents to AES workflows either by hosting the PDF externally (URL input) or by privately uploading the document to Entrust via the Signing Documents API and referencing its id.
Option 1: External document URL
Provide a stable, publicly accessible HTTPS URL pointing to the PDF to be signed. Configure a custom workflow input (for example signing_document_url) in the Dashboard, then configure the Request e-signature (SES/AES) task to read this input. Include the signing_document_url in the custom_data object when creating the workflow run.
Option 2: Uploaded signing document (recommended for confidentiality)
Use this option when the document should not be exposed via a public URL due to confidential information stored on the document, or if multiple documents should be signed during the workflow.
Steps:
- Create the applicant who will sign the document.
- Upload the PDF using the Upload signing document endpoint.
- Capture the returned signing document
id. - Configure a custom workflow input named
signing_document_idsin the Dashboard. - Ensure the Request e-signature (SES/AES) task is configured to read from the
signing_document_idscustom input. - When creating the workflow run, include the uploaded document id:
1"custom_data": {2 "signing_document_ids": [ { "id": "<SIGNING_DOCUMENT_ID>" } ]3}
Multiple signing documents can be provided by adding more objects to the array. The Request e-signature (SES/AES) task will present each document for review and signature in sequence.
Interpreting verification results
The Verify e-signature task can return a result of clear or consider:
| Verification result | Logic |
|---|---|
| clear | The signing transaction was successfully completed. All required signing document(s) were reviewed and signed by the applicant and a sealed signature evidence receipt was generated. |
| consider | The signing transaction was not completed. For example, the applicant rejected or declined to sign, or the transaction expired. |
The clear and consider results are interpreted the same way for both Simple Electronic Signature (SES) and Advanced Electronic Signature (AES) workflows. The distinction between SES and AES lies in the level of identity verification assurance.
Retrieving the signed documents and media
Once the workflow has completed, the signed document, a signature transaction receipt and an evidence file containing additional information gathered during the workflow run can be retrieved using our API.
To obtain the relevant document IDs from the AES verification task, you'll first need to retrieve a list of all completed workflow tasks using the List Tasks endpoint. Subsequently, make a Retrieve Task call to the API using the task ID of the AES verification task, with the document IDs being returned in the output attribute of the response.
For each of the documents you wish to retrieve, make a Retrieve Advanced Electronic Signature Document call to the API using the relevant document IDs. The API returns the binary data representing the signed PDF document.
