Dropbox Sign API
Dropbox Sign (formerly HelloSign) REST API for sending documents for electronic signature, managing templates, embedding signing flows in applications, and tracking signature status — part of the Dropbox product family with enterprise-grade eSignature features.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
HTTPS enforced. API keys provide full account access — no per-key scope restriction. OAuth2 offers limited scopes for more secure user-context integrations. Webhook HMAC-SHA256 signature verification available and should be used. SOC2 Type II certified. ESIGN and eIDAS compliance for legal validity. Recommend API key rotation and dedicated service accounts for agent use.
⚡ Reliability
Best When
An agent needs a developer-friendly eSignature API with clean documentation, embedded signing options, and straightforward template management at moderate volume.
Avoid When
You need enterprise-grade compliance features, high-volume operations, or are already using DocuSign which offers broader enterprise integrations.
Use Cases
- • Sending contracts and agreements for signature from agent-driven sales or HR workflows
- • Embedding a signing experience directly in web applications via embedded signing API
- • Creating reusable templates for NDAs, offer letters, and subscription agreements
- • Tracking signature request status and completion via webhooks or polling
- • Bulk sending signature requests to multiple signers with template field population
Not For
- • Very high signature volumes requiring enterprise concurrency (DocuSign handles this better)
- • Advanced identity verification requirements (biometric, in-person notarization)
- • Teams needing deeply integrated Salesforce or SAP workflow automation out of the box
- • Simple internal document approvals not requiring legal eSignature validity
Interface
Authentication
API key authentication for server-to-server agent use (HTTP Basic auth with API key as username, empty password). OAuth2 for user-context integrations. API keys are account-scoped with full access. Test mode uses a separate API key — always verify which mode is active. OAuth scopes available for limited access (basic_account_info, request_signature, etc.).
Pricing
Developer test mode is fully functional and free for building/testing. Production API requires a paid plan after the free tier. Priced per user/seat rather than per transaction. Good value for moderate-volume eSignature workflows.
Agent Metadata
Known Gotchas
- ⚠ Test mode and production use different API keys — confirm active mode via the account API before sending real requests
- ⚠ Signature requests in 'out_for_signature' status cannot be modified — agents must cancel and resend if document changes are needed
- ⚠ Webhook callbacks include an event_hash for verification — agents must validate HMAC-SHA256 signature using API key to prevent spoofed events
- ⚠ Template field population uses field_name keys defined at template creation time — mismatched names silently leave fields blank
- ⚠ Embedded signing requires a separate /embedded endpoint to get a time-limited sign_url — the URL expires in 30 minutes
- ⚠ PDF processing is asynchronous — a 200 response on send does not mean the document is ready; use the signature_request_sent callback
- ⚠ Rate limits are not documented and the rebrand from HelloSign to Dropbox Sign left some legacy documentation gaps
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Dropbox Sign API.
Scores are editorial opinions as of 2026-03-06.