A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.
The Dropbox Sign API is how an app or AI agent works with electronic signatures: sending a document for signature, checking who has signed, reminding or canceling, and downloading the completed file. Access is granted through an API key that acts as the whole account, or an OAuth token limited to the scopes a user approved, like request_signature, which sets what a call can read or write. A change to a signature request emits a callback event that Dropbox Sign delivers to a registered URL.
How an app or AI agent connects to Dropbox Sign determines what it can reach. There is a route for making calls and a route for receiving events, and each is governed by the API key or access token behind it and the permissions that token carries.
The REST API takes form-encoded or JSON request bodies, returns JSON, and pages through lists with page and page_size parameters, at https://api.hellosign.com/v3. A call authenticates with an API key sent through HTTP Basic auth as the username, or with an OAuth 2.0 access token sent as a Bearer token.
Dropbox Sign POSTs an event payload to a callback URL when something happens to a signature request or template. A callback can be set per API app or on the account, and the receiver verifies the event_hash field, an HMAC of the event time and type keyed by the API key, to confirm the request came from Dropbox Sign.
An API key authenticates as the account that owns it and can call every method that account is entitled to. It is sent through HTTP Basic auth as the username with an empty password. The key is found in the API app settings and grants full account access, so it belongs only in server-side code.
OAuth 2.0 lets an app act on another user's behalf without holding their key. A user is redirected to https://app.hellosign.com/oauth/authorize, approves the requested scopes, and the app exchanges the returned code at https://app.hellosign.com/oauth/token for an access token. The token is sent as a Bearer token, expires after about an hour, and is renewed with the refresh_token. Available scopes differ between the app-charged and user-charged billing models.
The Dropbox Sign API is split into areas an agent can act on, like signature requests, templates, embedded signing, unclaimed drafts, the account, and the team. Each area has its own methods, and a write in some areas sends legally binding documents to real people for signature.
Methods for sending, retrieving, listing, reminding, canceling, and downloading signature requests.
Methods for working with reusable templates and the embedded template editor.
Methods that return signing and editing URLs to embed in an app's own interface.
Methods for creating draft documents that another party claims and sends or signs.
Methods for reading and updating the Dropbox Sign account, and creating new ones.
Methods for reading and changing the team and its members.
Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.
| Method | Endpoint | What it does | Access | Permission | Version | |
|---|---|---|---|---|---|---|
Signature RequestsMethods for sending, retrieving, listing, reminding, canceling, and downloading signature requests.12 | ||||||
| POST | /v3/signature_request/send | Create and send a new signature request with the submitted documents to one or more signers. | write | request_signature | Current | |
OAuth scope request_signature (app-charged) or signature_request_access (user-charged). Counts as a higher-tier (document-processing) request for rate limits. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook event signature_request_sentRate limitHigher-tier: 25 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/signature_request/send_with_template | Create and send a signature request based on one or more reusable templates. | write | request_signature | Current | |
Needs request_signature plus access to the template. Counts as a higher-tier request. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook event signature_request_sentRate limitHigher-tier: 25 requests per minute SourceOfficial documentation ↗ | ||||||
| GET | /v3/signature_request/{signature_request_id} | Retrieve a signature request by its ID, including its status and signer details. | read | request_signature | Current | |
Read-only. The same scope that sends a request also reads its status. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| GET | /v3/signature_request/list | List the signature requests the account or app can access, with optional search query. | read | request_signature | Current | |
Read-only. Paginated with page and page_size query parameters. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/signature_request/remind/{signature_request_id} | Send an email reminder to a signer who has not yet signed the request. | write | request_signature | Current | |
A reminder cannot be sent within one hour of the last reminder to the same signer. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook event signature_request_remindRate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/signature_request/cancel/{signature_request_id} | Cancel an incomplete signature request so it can no longer be signed. | write | request_signature | Current | |
Only works while the request is still incomplete; signers can no longer act on it. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook event signature_request_canceledRate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/signature_request/update/{signature_request_id} | Update the email address or name of a signer on an existing, in-progress signature request. | write | request_signature | Current | |
Changes who a pending request is routed to before they sign. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/signature_request/release_hold/{signature_request_id} | Release a signature request that is on hold so it can proceed. | write | request_signature | Current | |
Used when a request was created on hold and is now cleared to send. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| GET | /v3/signature_request/files/{signature_request_id} | Download the original or signed documents of a signature request as a PDF or ZIP. | read | request_signature | Current | |
Read-only. Wait for signature_request_all_signed before downloading completed files. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitHigher-tier: 25 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/signature_request/create_embedded | Create a signature request to be signed inside an app through an embedded sign URL. | write | request_signature | Current | |
Pairs with the embedded sign URL method. Counts as a higher-tier request. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook event signature_request_sentRate limitHigher-tier: 25 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/signature_request/create_embedded_with_template | Create an embedded signature request from one or more templates, signed inside an app. | write | request_signature | Current | |
Needs request_signature plus access to the template. Counts as a higher-tier request. Acts onsignature_request Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook event signature_request_sentRate limitHigher-tier: 25 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/signature_request/bulk_send_with_template | Send the same template to many signers at once in a single bulk operation. | write | request_signature | Current | |
Sends a legally binding document to a list of recipients in one call. Counts as a higher-tier request. Acts onbulk_send_job Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitHigher-tier: 25 requests per minute SourceOfficial documentation ↗ | ||||||
TemplatesMethods for working with reusable templates and the embedded template editor.5 | ||||||
| GET | /v3/template/{template_id} | Retrieve a template by its ID, including its fields, roles, and documents. | read | request_signature | Current | |
Read-only. Under the user-charged model this needs template_access. Acts ontemplate Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| GET | /v3/template/list | List the templates the account can access. | read | request_signature | Current | |
Read-only. Under the user-charged model this needs template_access. Paginated. Acts ontemplate Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/template/create_embedded_draft | Create a draft template that can be edited inside an app through an embedded editor URL. | write | request_signature | Current | |
Under the user-charged model this needs template_access. Counts as a higher-tier request. Acts ontemplate Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook event template_createdRate limitHigher-tier: 25 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/template/delete/{template_id} | Delete a template the account owns. | write | request_signature | Current | |
Irreversible. Under the user-charged model this needs template_access. Acts ontemplate Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/template/add_user/{template_id} | Give another account or team member access to a template. | write | request_signature | Current | |
Widens who can send from the template. Under the user-charged model this needs template_access. Acts ontemplate Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
Embedded signingMethods that return signing and editing URLs to embed in an app's own interface.2 | ||||||
| GET | /v3/embedded/sign_url/{signature_id} | Retrieve an embedded object containing a signing URL that can be opened in an iFrame. | read | request_signature | Current | |
The signature_id comes from a signer on an embedded signature request. The URL expires. Acts onembedded Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/embedded/edit_url/{template_id} | Retrieve an embedded object containing a template editing URL that can be opened in an iFrame. | write | request_signature | Current | |
Opens a template for editing inside an app. Under the user-charged model this needs template_access. Acts onembedded Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
Unclaimed draftsMethods for creating draft documents that another party claims and sends or signs.2 | ||||||
| POST | /v3/unclaimed_draft/create | Create an unclaimed draft, a document another party claims and sends for signature. | write | request_signature | Current | |
Returns a claim URL. Counts as a higher-tier request. Acts onunclaimed_draft Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitHigher-tier: 25 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/unclaimed_draft/create_embedded | Create an unclaimed draft to be edited and sent from inside an app through an embedded URL. | write | request_signature | Current | |
Pairs with the embedded edit URL. Counts as a higher-tier request. Acts onunclaimed_draft Permission (capability) request_signatureVersionAvailable since the API’s base version Webhook eventNone Rate limitHigher-tier: 25 requests per minute SourceOfficial documentation ↗ | ||||||
AccountMethods for reading and updating the Dropbox Sign account, and creating new ones.3 | ||||||
| GET | /v3/account | Retrieve the account associated with the authenticated key or token. | read | basic_account_info | Current | |
OAuth scope basic_account_info (app-charged) or account_access (user-charged). Returns email and name. Acts onaccount Permission (capability) basic_account_infoVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| PUT | /v3/account | Update the authenticated account, such as its callback URL. | write | basic_account_info | Current | |
Under the user-charged model this needs account_access. Sets the account-level callback URL. Acts onaccount Permission (capability) basic_account_infoVersionAvailable since the API’s base version Webhook event account_callback_testRate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/account/create | Create a new Dropbox Sign account on behalf of a user. | write | — | Current | |
Authenticated with the app's own API key, not an OAuth scope; used to onboard new users. Acts onaccount Permission (capability)None required VersionAvailable since the API’s base version Webhook event account_confirmedRate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
TeamMethods for reading and changing the team and its members.3 | ||||||
| GET | /v3/team | Retrieve the team associated with the authenticated account, including its members. | read | team_access | Current | |
OAuth scope team_access is available only under the user-charged billing model. Acts onteam Permission (capability) team_accessVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| PUT | /v3/team/add_member | Add or invite a member to the team by email address or account ID. | write | team_access | Current | |
Changes team membership. team_access is available only under the user-charged model. Acts onteam Permission (capability) team_accessVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
| POST | /v3/team/remove_member | Remove a member from the team. | write | team_access | Current | |
Removes a member's access to the team. team_access is user-charged only. Acts onteam Permission (capability) team_accessVersionAvailable since the API’s base version Webhook eventNone Rate limitStandard: 100 requests per minute SourceOfficial documentation ↗ | ||||||
Dropbox Sign can notify an app when something happens to a signature request, like a signer viewing it, signing it, or every signer completing it. It POSTs an event payload to a callback URL registered on the app or the account, so an integration learns about activity without polling.
| Event | What it signals | Triggered by |
|---|---|---|
signature_request_sent | A signature request was sent successfully and its documents have finished processing. | /v3/signature_request/send/v3/signature_request/send_with_template/v3/signature_request/create_embedded/v3/signature_request/create_embedded_with_template |
signature_request_viewed | A signer opened and viewed the signature request. | In-app only |
signature_request_signed | A single signer completed all required fields. With several signers this fires once per signer. | In-app only |
signature_request_all_signed | Every signer completed all required fields. The completed document is now ready. | In-app only |
signature_request_downloadable | An updated, final version of the signed PDF is available for download. | In-app only |
signature_request_declined | A signer declined to sign the request. | In-app only |
signature_request_remind | A reminder to complete the request was sent to the signers. | /v3/signature_request/remind/{signature_request_id} |
signature_request_canceled | The signature request was canceled and can no longer be signed. | /v3/signature_request/cancel/{signature_request_id} |
signature_request_email_bounce | An email to one of the signers bounced and could not be delivered. | In-app only |
template_created | A template was created, for example after an embedded template draft was finished. | /v3/template/create_embedded_draft |
account_confirmed | A Dropbox Sign account created through the app was confirmed by its owner. | /v3/account/create |
callback_test | A test event Dropbox Sign sends to confirm a newly set callback URL is reachable. | /v3/account |
Dropbox Sign limits how fast an app can call, by a per-minute request rate that is lower for document-heavy methods and lower still in test mode.
Dropbox Sign meters requests by a per-minute rate at the account level, and every GET, POST, PUT, or DELETE counts as one request. Standard methods allow 100 requests per minute, while higher-tier methods that process documents, like sending a signature request, creating an embedded request, downloading files, or creating an unclaimed draft, allow 25 per minute. Test mode is capped at 10 per minute. Going over returns HTTP 429 with a message naming the limit that was hit. Higher limits can be arranged with Dropbox Sign on a case-by-case basis.
A list endpoint is page-based. The page parameter selects the page and page_size sets how many results it returns, and the response includes a list_info object with the current page, page_size, num_pages, and num_results so a caller knows how many pages remain.
A signature request can include multiple documents up to the account's file-size and page limits, and bulk send distributes one template to many signers in a single job. Files can be supplied as uploads, by remote URL, or by data URI.
The status codes an agent should handle, and what to do about each.
| Status | Code | Meaning | What to do |
|---|---|---|---|
| 400 | bad_request | The request was malformed or missing a required parameter. | Read the error name and message in the response, fix the parameters, and resend. |
| 401 | unauthorized | No valid API key or access token was provided. | Send a valid API key as the HTTP Basic username, or a valid Bearer access token, and rotate it if it leaked. |
| 403 | forbidden | The key or token is valid but lacks permission for this request, for example a missing OAuth scope or a plan that does not include the feature. | Grant the needed scope, or use a key on an account whose plan includes the feature. |
| 404 | not_found | The requested object does not exist, or is not visible to this account. | Verify the ID and confirm the account has access to the object. |
| 409 | conflict | The request conflicts with the object's current state, for example reminding a signer twice within an hour. | Check the object's state and retry once the conflicting condition has cleared. |
| 429 | exceeded_rate | Too many requests were sent in the time window. The body notes the per-hour or per-minute limit that was hit. | Back off and retry with exponential backoff, and smooth the request rate. |
| 500 | internal_error | An error occurred on the Dropbox Sign side. It is rare. | Retry with backoff, and contact Dropbox Sign support if it persists. |
Dropbox Sign serves one stable major version of its API and ships dated, backward-compatible changes through its changelog rather than minting a new version string for each one.
Dropbox Sign serves one stable major version, v3, in the request path. Rather than minting a new version string for each change, it ships backward-compatible additions and fixes that surface in dated SDK releases, so an integration on v3 keeps working as the API evolves.
A backward-compatible SDK release tracking the latest v3 additions.
Adds support for 2025 API additions, including the ability to edit a signature request after it has been sent.
Brings fax send and receive into the same SDKs used for eSignature.
A backward-compatible SDK release against the v3 API.
The API is on its third major version and changes are tracked by date in the changelog.
Dropbox Sign API changelog ↗Bollard AI sits between a team's AI agents and Dropbox Sign. Grant each agent exactly the access it needs, read or write, action by action, and every call is checked and logged.