Skip to content
Close
SEARCH
LANGUAGE – en
de
SIGN
REGISTER
en
de
SIGN
REGISTER
QUALIFIED TRUST SERVICES

Legally compliant digital signatures (eIDAS) to drive forward the digitalization of your business processes.

READ MORE
CORPORATE TRUST SERVICES

Cryptography-based trust services
to protect your digital identities,
data and business secrets.

READ MORE

Qualified electronic signature products based on eIDAS - legally binding and secure.

INDIVIDUAL
ENTERPRISE
OEM
PRODUCTS
BG_CRYPTAS_100_SQ

Easy-to-use, legally secure and flexible. Simple as that.

ONLINE SHOP
API GUIDE

Upgrade your application with electronic signatures by primesign.





SHOW ALL
DOCUMENT SIGNING API

Signing of PDF documents. primesign handles document processing and adds a visual signature stamp.

READ MORE
HASH SIGNING API

Signing of hash values. Your application handles document processing and provides the document viewer.

READ MORE
CASH BOX API

RKSV-compliant JWS- or raw signatures for cash box receipts.





DOCUMENTATION
Developer_SQ
primesign SUPPORT

Our offer regarding support & service.





OVERVIEW
CERTIFICATE REVOCATION

Suspicion of certificate misuse?





REVOKE
SERVICE STATUS

Up-to-date operational status of all primesign services.




SHOW STATUS
PREMIUM SUPPORT PORTAL

Visit our Support Portal for customers with Service Level Agreement (Premium SLA or Standard SLA).

PREMIUM SUPPORT
FAQ

Find your answers to frequently asked questions.





FAQ
BASIC SUPPORT

Support contact for general support requests.





BASIC SUPPORT
primesign TRUST CENTER

All documents for our qualified trust services, certificate revocation list, root-/CA- certificates, etc.

TRUST CENTER
RESOURCES

Fact sheets, product documentation and more.



RESOURCES
BG_ICON_ARROW_3
BG_ICON_ARROW_3

HASH SIGNING API (CSC)

Signing hash values using the CSC API.

GETTING STARTED GUIDE
primesign Hash Signing

HASH SIGNING

Provide primesign with the hash value of the data to be signed. The documents, document preparation and display of the signature remain with you. Seamless integration allows a customized incorporation into your application.

  
primesign Signature Means

SIGNATURE MEANS

Controlled via API, enabling users to sign with:

  • eID (German Identity Card, ID Austria) without prior user registration

  • primesign account: Login with e-mail address and password. Signature authorization via SMS

  
primesign CSC Compliant

CSC COMPLIANT

The Hash Signing API is compliant with the CSC specification version 1.0.4.0. User authentication takes place at the primesign IDENTITY PROVIDER using OAuth2.

CSC specification version 1.0.4.0 >
GETTING STARTED GUIDE >

  

HOW IT WORKS

Start the integration of primesign into your application today.

1
GETTING STARTED

Get an overview of our API and our solution.
DOWNLOAD GUIDE
2
INTEGRATE primesign

Development against primesign test system. Request access to the test system using the registration form.

 
REQUEST TEST ACCESS
3
GET READY TO GO LIVE!

After a successful acceptance test (see section 5.2 in the GUIDE), receive your access data for our production system.

  Acceptance test
  Signed Usage Agreement
  Access data

 
GO LIVE

SIGNING PROCESS

primesign Signing Process

FIRST IMPRESSIONS COUNT!

Our different signing options for seamless integration in your application.

  • SIGN WITH GERMAN IDENTITY CARD
  • SIGN WITH ID AUSTRIA
  • SIGN WITH PRIMESIGN ACCOUNT

SCREEN_primesign_D_PERSO_E

Users sign immediately with their existing German Identity Card.
No prior user registration with primesign required.

SCREEN_primesign_ID_AUSTRIA_E

Users sign instantly with their existing ID Austria without prior registration with primesign.

SCREEN_primesign_mobile_E

Users log in with e-mail and password and authorize the signature via SMS. Registration takes place online and immediately (24/7, registration code available in our store).

ANY QUESTIONS?

Send us your questions by e-mail to developer@prime-sign.com.

FAQs & BEST PRACTISES

Can I sign several documents in one step?

Yes, our interface offers the option of signing several hash values in one step, i.e. with one signature authorization.

You can obtain the maximum possible number of hash values by calling the credentials/info method.
Can primesign take care of the document preparation for me?

Yes. With the DOCUMENT SIGNING API, primesign takes care of the correct creation of the PDF signature, the visual preparation of the signature (stamp) and the addition of all required LTV information. Additionally, primesign can also add a qualified timestamp on request.

More information under DOCUMENT SIGNING API.
What is important when integrating primesign?
  • Ensure that the service name and the primesign logo are displayed without distortion/pixelation etc.
  • Dynamically retrieve information such as logo, name, oauth2 URL, methods, from the /info endpoint.
  • Ensure that a cancel ("Cancel" button in the primesign user interface) is handled correctly .
  • Do not integrate primesign in an iFrame .
  • Revoke the access token (from the service authorization) after signing using the API method /oauth2/revoke.
  • primesign recommends compliance with OAuth2 best practices, e.g. the use of PKCE.
  • Get an overview of the acceptance criteria for our acceptance test. These can be found in section 5.2 of the Getting Started Guide.
What is important when encoding the hash value to be signed?

Make sure to encode the hash value correctly before passing it to the API methods oauth2/authorize and /signatures/signHash.

In accordance with the CSC specification, the hash value must be Base64 URL encoded when submitted to the oauth2/authorize endpoint.

For the API method /signatures/signHash, however, the hash value must be Base64-encoded.
Which signature algorithm does primesign support?

primesign only creates ECC keys for the signature keys.

You can obtain the supported signature algorithm via the /credentials/info interface and receive the algorithm in the response under key/algo. Make sure to always use one of the supported signature algorithms for the signAlgo parameter in the API method /signatures/signHash.
Can a transaction identifier be passed tp primesign, which is included in the billing and the primesign logs (for support requests)?

primesign recommends the transfer of a transaction parameter defined by you (hereinafter referred to as clientTransactionId).

The clientTransactionId should be included in both /oauth2/authorize requests. The clientTransactionId simplifies the tracking of a signature transaction in the log file, for example for support requests, and is included in the transaction report in the invoice. The clientTransactionId is transmitted in JSON format in the clientData parameter, see Getting Started Guide.
Which characters are allowed in the clientTransactionId?

The following characters are permitted: a-z A-Z 0-9 _ @ : + . -

Maximum length of the clientTransactionId: 200 characters

If an invalid clientTransactionId is transmitted, it is ignored and not used. No error is returned as this is an optional parameter.
What is the URL for the test and production system?

The base URLs for primesign are:

Test system: https://qs.primesign-test.com
Production system: https://qs.prime-sign.com
Which redirect URIs are allowed?

The following restrictions apply to redirect URIs:

  • primesign supports simple wildcards, e.g. "https://example.com/*"
  • Regular expressions are supported but not recommended.
  • It is possible to specify redirect URIs with different domains.

Further requirements can be found in the Getting Started Guide.
What type of OAuth2 client do I need? Public or Confidential?

By default, primesign creates a confidential client for your application.

  • Confidential clients are applications that can authenticate themselves securely to the primesign IDENTITY PROVIDER.
  • Confidential clients receive a clientId and a client secret that they can store securely. This requires a backend application.

primesign also creates public clients for applications without the option of securely storing the client secret.

  • primesign creates public clients exclusively for client-side applications such as mobile app, web apps or native desktop applications without a backend server.
  • Public clients receive a clientId but no client secret.
  • Public clients must use the OAuth2 Authorization Code Flow. The use of PKCE is mandatory.
  • Applications should use the system browser for OAuth authorization.

 
How do I get a primesign account for the test system? Contact developer@prime-sign.com to obtain a limited number of registration codes for the issue of test accounts.
How to register a primesign account for the test system?

For testing signature creation with persistent primesign signing certificates, test accounts are necessary for the integrator. Each test account requires a registration code (VOUCHER CODE). A limited number of registration codes are provided by primesign for free. Inform developer@prime-sign.com how many test accounts are required.

To register a test account, visit the primesign OnBoarding Service (https://onboarding.primesign-test.com). Fill in the registration data and make sure to use a valid e-mail address and mobile phone number. For identification you can either use your eID (e.g. ID Austria/Handy-Signatur) or
use the test system of our video identification partner. When video identification is used, skip the actual video call by entering the magic TAN “123456”. After successful identification, we issue test certificates from our test hierarchy (no qualified certificates!). Only ECC keys are issued.

On request, primesign also issues accountIds for primesign ENTERPRISE ACCOUNTs within the test environment (no costs apply in the test environment).
Can a signature be executed in the course of an automatic integration test?

For signature creation with a primesign account, a password and SMS-TAN is required. However, within the test environment primesign can mark specific  accounts to work with our magic TAN123456“.

This is especially useful during development, when multiple developers share one test account and for integration tests, to allow for periodic automated testing. Contact developer@prime-sign.com to configure one of your existing test accounts to work with magic-TAN.

These test accounts with magic TAN are only available in the primesign test environment.

primesign forbids load tests with services provided by primesign (includes both test and production environment). Exceptions only with prior approval from primesign.
How to control which signature means are displayed to the user in the primesign UI?

primesign offers the option of using the parameter amr_hint to control which signature means are available in the primesign login dialog.

This parameter is transferred in the first oauth/authorize request in JSON format in the clientData parameter. Example: /oauth2/authorize?scope=service&clientData=%7B "amr_hint"%3A "eid"%7D...

The amr_hint "eid" only shows the login via eID and hides the option to log in with e-mail and password.

The amr_hint "pwd" only shows the login with e-mail and password and hides the option to sign with an existing eID.
What does "Sign with eID" mean?

Users use their existing eID (e.g. German Identity Card, ID Austria) to sign without prior registration at primesign. The signature only needs to be authorized by entering the eID access data.

Users sign with qualified certificates issued immediately and „on-the-fly“ based on current data from a valid eID. The issued certificate can only be used once for this signature.
How can I activate "Sign with eID"?

In order to use "Sign with eID", an account_token containing an accountId registered with primesign must be transmitted to primesign. This accountId is used for billing and must be issued once.

Please contact developer@prime-sign.com for the issue of an accountId.
What is important when passing the account_token?

The account_token is a JSON Web Token (JWT) that contains the accountId.

For using account_token consider:

  • An account_token must be passed in the service authorization call, when calling oauth2/authorize for the first time. The transfer of an account_token in the credential authorization is optional.
  • The account_token is a JWT consisting of header, payload and signature. The accountId is added as "sub" attribute in the JWT. See section 8.3.1 of the CSC API specification for the format of the account_token.
  • The JWT payload also includes the issuing time of the JWT. account_token are valid for 2 minutes (2 minutes from the issuing time given in "iat").
  • The JWT signature required to generate the account_token SHALL be calculated with the HMAC function, using the SHA256 hash of the client secret.
  • Public clients (e.g. desktop apps) do not have client secrets. Therefore, public clients must send unsigned account_tokens. primesign accepts unsigned account_tokens only from public clients. Confidential clients have to send signed account_tokens.
How can I sign with eIDs in the test system?

Official test identities can be used to use ID-Austria.

To use the German Identity Card in the test system, the following requirements must be met:

  • Download AusweisApp
  • Card reader or smartphone (with NFC) to read the ID card
  • The internal card simulator can be used instead of a physical German Identity Card

To activate the internal card simulator:

  1. Download AusweisApp
  2. Activate developer options: In the menu select "Help" and "Version information". Click ten times on the version information. A new "Developer options" tab will then appear in the Settings area.
  3. Activate the internal card simulator: Switch to settings in the meu and activate "Internal card simulator" in the developer options
I receive an error message during the signature with eID.

In our support area you get answers to frequently asked questions when using an eID.

primesign SERVICE STATUS

Guaranteed availability of 99.8%.
Register to receive automatic notifications about maintenance windows and updates.
VIEW STATUS

APPLICATIONS

Users can already sign with primesign here.