Iframe token
The iframe token is a one-time credential that authorizes loading the Subnoto signing UI for a specific envelope and signer. It has the prefix sit. and expires after 1 hour.
Creating the token
Section titled “Creating the token”Call the API from your backend (never from the browser, so you do not expose your API keys). The endpoint is team-authenticated.
Request: POST /public/authentication/create-iframe-token
Body:
workspaceUuid(string) - The workspace that owns the envelopeenvelopeUuid(string) - The envelope the signer will opensignerEmail(string) - Email of the recipient; must match a recipient on the envelope
Response: { iframeToken: string }
Example with the TypeScript SDK:
const { data, error } = await client.POST("/public/authentication/create-iframe-token", { body: { workspaceUuid, envelopeUuid, }});
if (error || !data?.iframeToken) { // handle error return;}// Pass data.iframeToken to your frontendUsing the token
Section titled “Using the token”Build the embed URL and pass it to your frontend. The path is /embeds/sign and the token goes in the hash:
{embedBaseUrl}/embeds/sign#t={iframeToken}
If you omit the t= prefix, the embed also accepts #${iframeToken}. Default embed base URL is https://app.subnoto.com unless you use a custom embed domain.
Your frontend then either renders an iframe with this URL or uses a framework component that accepts the token (and optional host).
Security
Section titled “Security”Create the token only on the server. Do not send your API access key or secret to the client. The token is scoped to one envelope and one signer and expires after 1 hour. After the embed loads, it is exchanged for session context; treat it as single-use.