1. E-sign Documents
  • Test
    • Landing
  • Endpoints
    • Verifications
      • Create a verification
      • Get a verification
      • Delete a verification
      • Resend a verification
      • Reset a verification
      • Approve a verification check result
      • Approve Quick IDV result (deprecated)
      • Approve PEP result (deprecated)
      • Create and run a verification
      • Create and run a company verification
      • Approve FaceMatch result (deprecated)
    • Outsourced Verifications
      • Create an outsourced verification
      • Get an outsourced verification
      • Delete an outsourced verification
    • Risk Assessment
      • Create a risk rating
      • Get risk rating details
    • E-sign Templates
      • List e-sign templates
      • Fetch an e-sign template
    • E-sign Documents
      • List e-sign documents
        GET
      • Create an e-sign draft document
        POST
      • Fetch an e-sign document
        GET
      • Update an e-sign draft document
        PATCH
      • Delete an e-sign document
        DELETE
      • Duplicate an e-sign document
        POST
      • Create an e-sign iframe builder session
        POST
      • Send an e-sign document
        POST
      • Resend an e-sign document
        POST
      • Reinitiate an e-sign document
        POST
      • Void an e-sign document
        POST
    • Form Submissions
      • Create a form submission
      • Fetch a form submission
      • Delete a form submission
      • Resend a form submission
  • Schemas
    • VerificationRequest
    • VerificationCompanyRequest
    • VerificationSimple
    • Verification
    • VerificationCompany
    • OutsourcedVerificationRequest
    • OutsourcedVerificationSimple
    • OutsourcedVerification
    • OutsourcedVerificationType
    • OutsourcedVerificationStatus
    • OutsourcedVerificationResult
    • OutsourcedVerificationIndividual
    • VerificationType
    • VerificationResultSource
    • Result
    • PepResult
    • PepType
    • PepHit
    • DocumentOCRData
    • FaceMatchVoiResult
    • NationalIdTypes
    • BadRequest
    • Metadata
    • PersonName
    • PersonBirthDate
    • ContactMethods
    • AddressFields
    • GeoCoordinates
    • NationalIdBundle
    • VerificationAlgorithmSelection
    • VerificationIdentityResponse
    • VerificationCoreResponse
    • VerificationAddressResponse
    • VerificationNationalIdsResponse
    • VerificationMetadataResponse
    • OtherCountries
    • OutsourcedContactMethods
    • OutsourcedOrgTracking
    • OutsourcedCore
    • CompanyContactMethods
    • CompanyCore
    • CompanyTracking
    • VerificationResendRequest
    • RiskLevel
    • RiskAnswer
    • RiskSection
    • RiskQuestion
    • RiskRatingAnswer
    • RiskRating
    • RiskRatingCreateRequest
    • FormSubmissionCreateRequest
    • FormSubmission
    • FormSubmissionUser
    • FormSubmissionForm
    • FormSubmissionVerification
    • FormSubmissionValue
    • ESignTwoFactorMethod
    • ESignEnvelopeStatus
    • ESignRecipientStatus
    • ESignFieldType
    • ESignFieldDefaultValueMode
    • ESignTemplateRecipientRole
    • ESignTemplate
    • ESignDocumentRecipientOverride
    • ESignDocumentCreateRequest
    • ESignRecipientCreateRequest
    • ESignRecipientUpdateRequest
    • ESignDocumentFile
    • ESignField
    • ESignFieldGroup
    • ESignRecipient
    • ESignActionRequiredRecipient
    • ESignActionRequired
    • ESignDocument
    • ESignFieldResponse
    • ESignCompletionCertificate
    • ESignDocumentDetail
    • ESignSendDocumentResponse
    • ESignReinitiateDocumentResponse
    • ESignDocumentUpdateRequest
    • ESignDocumentDuplicateRequest
    • ESignDocumentPage
    • ESignIframeSessionCreateRequest
    • ESignIframeSessionResponse
    • ESignResendDocumentRequest
    • ESignResendDocumentResponse
    • ESignVoidDocumentRequest
    • ESignVoidDocumentResponse
  1. E-sign Documents

Create an e-sign iframe builder session

POST
/esign/documents/{envelope_id}/iframe-session/
Create a strong one-off iframe builder session for a draft e-sign document. The request body is empty. The response returns iframe_url, session_key, iframe_session_id, document_id, and expires_at; this iframe-session creation response does not expose the agency iframe allowlist, brand payload, allowed_origin, or redirect_url.
Before this endpoint can be used, RealAML must have iframe domains configured for the agency in Django admin under the agency branding settings (brand_iframe_allowed_urls). The session can only be created for a draft document and expires after 60 minutes.
Embed flow:
1.
Create or fetch a draft document. For scratch drafts, call POST /documents/ with no template_id. For template drafts, call POST /documents/ with template_id and optional recipient role overrides.
2.
Call this endpoint and place the returned iframe_url in an iframe in the partner application. Do not append session_key to the iframe URL.
3.
When the iframe loads, it posts realaml.esign.ready to the parent window. The parent must verify the iframe origin and source, then send { type: "realaml.esign.session_key", session_key } to the iframe using postMessage with the exact RealAML app origin as targetOrigin.
4.
The iframe exchanges the one-off session_key and the parent message origin for an iframe-scoped bearer token. RealAML validates that parent origin against the agency admin iframe domain allowlist.
5.
The one-off key can be exchanged once. The resulting iframe token is scoped to this document, this agency, and the original user. It cannot be used for recipient mode and cannot access other documents.
6.
Inside the iframe, the user can edit document metadata, apply a template to an empty draft, upload/remove files, manage recipients, place PDF fields, and send the document.
7.
After a successful send, the iframe shows a document-sent message and posts realaml.esign.document_sent to the parent window. Event payload: document_id, status, sent_at, and iframe_session_id.
8.
If the iframe session expires before completion, the iframe posts realaml.esign.session_expired to the parent window. Event payload can include document_id, iframe_session_id, expires_at, and message when known.
Use GET /documents/{envelope_id}/ or configured webhooks/callbacks for terminal completion state; the iframe send event only means sending was accepted and recipient notification processing started.

Request

Authorization
API Key
Add parameter in header
Authorization
Example:
Authorization: ********************
or
Path Params

Responses

🟢201
application/json
Iframe builder session created.
Bodyapplication/json

🟠400BadRequest
🟠403Forbidden
🟠404NotFound
🔴500UnknownError
Request Request Example
Shell
JavaScript
Java
Swift
curl --location --request POST '/esign/documents//iframe-session/' \
--header 'Authorization: <api-key>'
Response Response Example
201 - Example 1
{
    "iframe_session_id": "dcdee395-4335-45c8-ae30-12a2738d2982",
    "document_id": "b792e8ae-2cb4-4209-85b9-32be4c2fcdd6",
    "iframe_url": "http://example.com",
    "session_key": "string",
    "expires_at": "2019-08-24T14:15:22.123Z"
}
Previous
Duplicate an e-sign document
Next
Send an e-sign document
Built with