Electronic Signatures

Copy page

OTP Verification & Proof

Deep dive into the OTP validation flow, proof certificate format, and eIDAS compliance details.

OTP flow

Each signer goes through this sequence:

Code
 
1. Initiate  →  System sends OTP via SMS to signer's phone
2. Validate  →  Signer enters 6-digit OTP code
3. Sign      →  Signer draws their signature on the document
4. Complete  →  Signature embedded in PDF with certificate

OTP rules

Parameter	Value
OTP length	6 digits
Validity	5 minutes from sending
Max attempts	3 per OTP
Resend cooldown	60 seconds
Delivery	SMS to signer's registered mobile phone

Validate an OTP

The signer's application calls:

Code
 
curl -X POST https://api.faireplace.com/api/leases/{lease_id}/signature/validate-otp \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "signer_email": "[email protected]",
    "otp_code": "482916"
  }'

Code
 
{
  "status": "Validated",
  "signer": {
    "name": "Marie Martin",
    "type": "Locataire",
    "status": "Signing"
  },
  "expires_at": "2026-02-20T14:35:00Z"
}

Resend an OTP

If the OTP expires or the signer didn't receive it:

Code
 
curl -X POST https://api.faireplace.com/api/leases/{lease_id}/signature/resend-otp \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"signer_email": "[email protected]"}'

The previous OTP is invalidated when a new one is sent.

OTP error handling

Wrong OTP code

Code
 
{
  "error": {
    "code": 422,
    "type": "VALIDATION_ERROR",
    "message": "Invalid OTP code",
    "details": {
      "attempts_remaining": 2,
      "expires_at": "2026-02-20T14:35:00Z"
    }
  }
}

OTP expired

Code
 
{
  "error": {
    "code": 422,
    "type": "OTP_EXPIRED",
    "message": "OTP has expired. Request a new one.",
    "details": {
      "expired_at": "2026-02-20T14:35:00Z"
    }
  }
}

Max attempts exceeded

After 3 failed attempts, the signer's OTP is locked. A new OTP must be sent:

Code
 
{
  "error": {
    "code": 429,
    "type": "OTP_LOCKED",
    "message": "Maximum OTP attempts reached. Request a new OTP.",
    "details": {
      "locked_until": "2026-02-20T14:40:00Z"
    }
  }
}

Proof certificate

After all signers complete, FairePlace generates a proof certificate — a JSON document that provides a legally admissible record of the signing process.

Retrieve the proof

Code
 
curl https://api.faireplace.com/api/leases/{lease_id}/signature/proof \
  -H "Authorization: Bearer $TOKEN"

Proof format

Code
 
{
  "signature_id": "sig-78901234-abcd-ef12-3456-7890abcdef56",
  "version": "1.0",
  "document": {
    "name": "BAIL-2026-001.pdf",
    "hash_sha256": "a1b2c3d4e5f6789012345678abcdef0123456789abcdef0123456789abcdef01",
    "hash_algorithm": "SHA-256",
    "pages": 12,
    "size_bytes": 245760
  },
  "signers": [
    {
      "order": 1,
      "type": "Proprietaire",
      "name": "Jean Dupont",
      "email": "[email protected]",
      "phone_last4": "5678",
      "otp_sent_at": "2026-02-19T14:29:00Z",
      "otp_validated_at": "2026-02-19T14:29:50Z",
      "signed_at": "2026-02-19T14:30:00Z",
      "ip_address": "92.184.xxx.xxx",
      "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
      "geolocation": "Paris, France"
    },
    {
      "order": 2,
      "type": "Locataire",
      "name": "Marie Martin",
      "email": "[email protected]",
      "phone_last4": "5432",
      "otp_sent_at": "2026-02-19T16:44:00Z",
      "otp_validated_at": "2026-02-19T16:44:50Z",
      "signed_at": "2026-02-19T16:45:00Z",
      "ip_address": "86.247.xxx.xxx",
      "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 17_0)...",
      "geolocation": "Lyon, France"
    }
  ],
  "certificate": {
    "authority": "Certinomis",
    "level": "Advanced Electronic Signature",
    "regulation": "eIDAS",
    "format": "PAdES-B",
    "timestamp_authority": "Certinomis TSA",
    "certificate_serial": "1234567890ABCDEF"
  },
  "integrity": {
    "signed_document_hash": "f0e1d2c3b4a5968778695a4b3c2d1e0f...",
    "proof_hash": "0f1e2d3c4b5a69788796a5b4c3d2e1f0...",
    "timestamp": "2026-02-19T16:45:01Z"
  },
  "completed_at": "2026-02-19T16:45:00Z"
}

Proof fields explained

Section	Purpose
document	SHA-256 hash of the original document — proves the signed document matches
signers	Audit trail for each signer: when OTP was sent, validated, and when they signed
certificate	Certificate authority details and eIDAS compliance level
integrity	Hash chain linking the document, signatures, and proof together

eIDAS compliance

FairePlace signatures meet the Advanced Electronic Signature (AdES) level under EU Regulation 910/2014 (eIDAS):

eIDAS Requirement	FairePlace Implementation
Uniquely linked to signer	OTP sent to signer's personal mobile phone
Identifies the signer	Identity verified via email + phone number
Under sole control of signer	OTP valid 5 minutes, 3 attempts max, single-use
Detects subsequent changes	PAdES-B with SHA-256 hash — any modification breaks the seal
Qualified certificate	Certinomis (ANSSI-qualified trust service provider)
Qualified timestamp	Certinomis TSA (RFC 3161 compliant)

Legal validity in France

Under French law (Article 1367 of the Civil Code), an electronic signature has the same legal force as a handwritten signature when it meets:

1. A reliable identification process
2. A link between the signature and the document

FairePlace's Advanced Electronic Signature satisfies both requirements through OTP verification and PAdES-B certificate embedding.

Troubleshooting

Signer didn't receive the SMS

1. Verify the phone number is in international format (e.g., +33612345678)
2. Check that the number is a mobile phone (landlines cannot receive SMS)
3. Wait 60 seconds and resend the OTP
4. If the issue persists, verify the signer's phone is not in "Do Not Disturb" mode

Signature expired

Signatures expire after 14 days by default. If expired:

1. Cancel the expired signature
2. Generate a new PDF (if lease data changed)
3. Initiate a new signature process

Proof not available

The proof certificate is only generated after all signers complete. Check GET /leases/{id}/signature/status to verify the overall status is Completed.

---

Related

• Electronic Signatures — Full signature workflow
• Lease Workflow — End-to-end tutorial
• Payments & Credits — Purchase signature credits