Signer Authentication Disclaimer

To ensure that integrations adhere to eSignature best practices, we strongly recommend that integrations follow the guidance below on signer authentication. Ultimately, however, you are solely responsible for making sure that your signer/end user authentication process is sufficient and complies with any and all applicable laws and regulations. Please see our Terms of Service (and the associated Service Specific Terms here) for more information.

Review our signer authentication recommendations before adding Embedded Workflows into your website:

• Applications that have user profiles:
  • If your platform has a user profile, your users should be authenticated on your website before they may create templates, sign documents, or request signatures.
  • We also suggest that your users have previously confirmed ownership of the email address used to identify them to Dropbox Sign. In practice, verifying email ownership means that when a user signs up for an account on your website, they should receive an email containing a unique link back to your site. When followed, your application can record the action, thus verifying the user's ownership of the email address. It is also important to recheck a user’s email if it’s allowed to be changed.
• Applications that do not have user profiles:
  • If your application does not have a user profile concept, typically unique links are sent to the signer’s email address directly. The email usually includes a URL with a token that’s tied to the signer and signature request. When the signer clicks the link in the email, your app records the action, thus verifying the signer’s identity.
• In-Person signing:
  • In-Person signing is a way of verifying your signer’s identity and allowing them to sign in person. We recommend creating a documented process such as uploading a picture of a driver's license or documenting a driver license number along with the signed document.