--- title: "Integrate digital signatures" canonical_url: "https://www.nutrient.io/guides/document-engine/signatures/integrations/globalsign/" md_url: "https://www.nutrient.io/guides/document-engine/signatures/integrations/globalsign.md" last_updated: "2026-05-14T16:53:43.816Z" description: "Learn how to integrate GlobalSign’s Digital Signing Service (DSS) with Nutrient Document Engine for trusted digital signatures." --- This guide explains how to integrate Nutrient Document Engine with [GlobalSign’s Digital Signing Service (DSS)](https://www.globalsign.com/en/digital-signing-service) for digital signatures. **Simplify eSignatures** Unless you need a qualified electronic signature, Nutrient offers a powerful signing API. [Read more](https://www.nutrient.io/api/signing-api/) **View example** Prefer to jump straight into code? View the example repo on GitHub. [Read more](https://github.com/PSPDFKit/pspdfkit-web-signing-service-example) GlobalSign DSS is a cloud-based solution that enables organizations to deploy trusted digital signatures, without the need for hardware security modules (HSMs) or USB tokens. As a Qualified Trust Service Provider (QTSP), GlobalSign is part of the [Adobe Approved Trust List (AATL)](https://helpx.adobe.com/acrobat/kb/approved-trust-list1.html) and provides PKI-based digital signatures that meet eIDAS regulations in Europe, along with various US regulations. ## Prerequisites Before starting the integration, you’ll need: 1. A Nutrient Document Engine license with digital signature support. 2. GlobalSign DSS credentials: - API key - API secret - TLS certificate chain (in PEM format) - TLS certificate private key (in PEM format) > [Contact Sales](https://www.nutrient.io/contact-sales/) to obtain GlobalSign DSS credentials. We’ll help streamline the process of getting your organization vetted by GlobalSign, which is required for obtaining a digital signing certificate. ## Architecture overview Follow our [sign a PDF document](https://www.nutrient.io/guides/document-engine/signatures/signature-lifecycle/sign-a-pdf-document.md) guide for the basic setup. Then make the adjustments in the following sections to use GlobalSign DSS as your signing provider. ## Implementation Set up your GlobalSign DSS credentials in your signing service: ```bash # GlobalSign DSS Credentials. export GLOBALSIGN_API_KEY= export GLOBALSIGN_API_SECRET= export GLOBALSIGN_TLS_CERT= export GLOBALSIGN_TLS_KEY= ``` ### Sign documents To sign a document with GlobalSign DSS, use the following request format: ```bash curl -X 'POST' 'http://localhost:5000/api/documents/my-document-id/sign' \ -H 'Accept: application/json' \ -H 'Authorization: Token token="secret"' \ -H 'Content-Type: application/json' \ -d '{ "signatureType": "cades", "signatureContainer": "raw", "cadesLevel": "b-lt", "signingToken": "{\"signMethod\": \"globalsign\"}", "signatureMetadata": { "signerName": "John Doe", "signatureReason": "Approval", "signatureLocation": "Vienna" } }' ``` > For security purposes, GlobalSign DSS certificates expire after 10 minutes. To ensure your signed documents remain valid indefinitely, you must use both `signatureType: "cades"` and `cadesLevel: "b-lt"` in your signing requests. ## Security considerations 1. **Credential security** - Store GlobalSign credentials securely. - Never expose credentials in client-side code. - Use environment variables or a secure key management service. 2. **Network security** - Use HTTPS for all communications. - Restrict access to your signing service. - Configure appropriate firewalls and network policies. --- ## Related pages - [Integrate digital signatures](/guides/document-engine/signatures/integrations/overview.md) - [Path to the CloudHSM PKCS#11 library.](/guides/document-engine/signatures/integrations/aws-hsm.md)