Embed 2.0 API

Last update: Oct 07, 2025.

data-slots=text

The Acrobat Sign Embed 2.0 frictionless model release exposes new APIs for streamlining account management as well as creating and validating new user tokens. Embed 2.0 provides the following benefits:

• Seamless onboarding of new customers via the API
• Partner ownership of all aspects of their end-customer relationship. End customers are not known to Adobe
• Access to the Adobe Admin Console, Global Admin Console, and Developer Console
• Support ticket access via the Admin Console
• The ability to add, remove, and fully manage end-users independently from Adobe
• Eliminates provisioning conflicts

Adobe provisions Embed 2.0 customers with access to both the Global and Admin Consoles so they can:

• Use the consoles for managing all licensed Adobe products.
• Create and assign roles for partner's users (e.g. developers; not customers).
• Set up Federated directory and define Identity Provider (IdP).
• Claim domains (e.g. 'oempartner.com') for use with all customers (e.g. bob.smith_joesbikeshop@oempartner.com)

data-slots=text

As described in the onboarding guide, creating a technical account involves these high level steps in the Developer Console:

1. Create a token for creating a new customer organization within Acrobat Sign.
2. Use your token for creating new users. Repeat as necessary.
3. Use the the technical account token in the Adobe Developer Portal, and generate a cURL to create an endpoint such as:

[https://ims-na1-stg1.adobelogin.com/ims/token/v2?grant_type=client_credentials&
client_id=xxxxxxxxxxxx&
client_secret=xxxxxxxxxx&scope=sign_webhook_retention,openid,widget_write,workflow_read,agreement_send,agreement_sign,AdobeID,agreement_write,widget_read,sign_webhook_read,sign_user_write,agreement_read,agreement_retention,sign_user_read,sign_library_read,user_management_sdk,agreement_vault,sign_user_login,sign_webhook_write,sign_library_retention,sign_library_write,workflow_write]
(https://ims-na1-stg1.adobelogin.com/ims/token/v2?grant_type=client_credentials&client_id=xxxxxxxxxx&client_secret=xxxxxxxxxx&scope=sign_webhook_retention,openid,widget_write,workflow_read,agreement_send,agreement_sign,AdobeID,agreement_write,widget_read,sign_webhook_read,sign_user_write,agreement_read,agreement_retention,sign_user_read,sign_library_read,user_management_sdk,agreement_vault,sign_user_login,sign_webhook_write,sign_library_retention,sign_library_write,workflow_write)

data-slots=text

Base Endpoint API

Get Base_uri

Acrobat Sign APIs come with location awareness, so it's important to use the correct geographic access point when calling resource-based APIs to ensure success. We highly recommend that clients store the base endpoint URL for each environment. This way, you can retrieve the appropriate geographic access points (https://api.na1.adobesign.com, https://api.eu1.adobesign.com for your resource-based API calls. Before making any API calls, make sure to include the valid access point returned as part of the base endpoint API in your request.

Base API Host

Overview

Response Object

BaseUri: Sample Response

{
    "apiAccessPoint": "https://api.na1.echosign.com/",
    "webAccessPoint": "https://secure.na1.echosign.com/"
}

BaseUri: Error Response

Error codes

Authentication: Token APIs

Call these APIs via the AdobeSignAuthService for user token generation and validation:

• POST Token: Exchange technical account token for a user token.
• POST Validate Token: Validate Sign Embed User Token.

Common auth token API attributes

Common header attributes

Create an Embed user token

Overview

Request

Request Parameters

Generating Subject Token

Subject identifies the principal for which the JWT token https://jwt.io/introduction belongs & access token is being minted by exchanging technical account token(actor token). Subject is scoped to be locally unique in context of authorization server identified by email. The jwt token belonging to this subject is termed subject_token which is an unsigned one and has "email" as claim.

Sample subject token (jwt)

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InN1YmplY3RfZW1haWxAc2lnbmVtYmVkcGFydG5lci5jb20ifQ.IOqyTkveGBDhfmanxttJnrcO-X8iYK1yyu7mU5Eb3dY


Payload:

{

  "email": "subject_email@signembedpartner.com"
}

For quick testing, copy this sample value and paste in jwt.io, Navigate to right hand payload section & update "email". The jwt token at left side will be updated automatically. You can use this as subject token in token exchange api

How to generate programmatically?

You can use libraries https://jwt.io/libraries based on different languages to generate an unsigned subject token.

Sample Request parameters

client_id:<IMS_client_id>
client_secret:<client_secret>
grant_type:urn:ietf:params:oauth:grant-type:token-exchange
subject_token:<example-jwt-token>
subject_token_type:jwt
actor_token_type:access_token
actor_token:<technical_account_token>
scope:sign_webhook_retention,widget_write,workflow_read,agreement_send,agreement_sign,agreement_write,widget_read,sign_webhook_read,sign_user_write,agreement_read,agreement_retention,sign_user_read,sign_library_read,agreement_vault,sign_user_login,sign_webhook_write,sign_library_retention,sign_library_write,workflow_write

Response

Response Parameters

Sample Response

{
    "access_token": <user_access_token>,
    "token_type": "access_token",
    "expires_in": 300,
    "scope": "sign_webhook_retention,openid,widget_write,workflow_read,agreement_send,agreement_sign,AdobeID,agreement_write,widget_read,sign_webhook_read,sign_user_write,agreement_read,agreement_retention,sign_user_read,sign_library_read,agreement_vault,sign_user_login,sign_webhook_write,sign_library_retention,sign_library_write,workflow_write"
}

Errors

Error codes for create an embed user token

Validate Embed User token

Overview

Request

Request Parameters

Sample request

client_id:<IMS_client_id>
token:<user_access_token>
type:access_token

Response

Response Parameters

Sample Response

{
    "valid": true,
    "expires_at": 1673987741
}

Errors

Error codes for validate account

Common attributes

Account & User APIs: Common headers for Partner APIs

Common headers for Auth token APIs

Register APIs

Register APIs allow you to register your partner application with Acrobat Sign as part of the on-boarding process. Call this API directly with your technical account token for each technical account. You must also do this in the sandbox environment as well.

You can call the following API to register your partner application by directly using Technical account token:

• Post Partners - Register the partner with Acrobat Sign

Create partner

Overview

Request

Register Partner request parameters

Register partner sample request

{
"name":"Partner Name",
"domains": [
  "partnerdomain.com",
  "partnerdomain.us"
 ]
}

Response

Register partner response parameters

Register partner sample response

{
"id" :"1234",
"name":"Partner Name",
"orgGuid": "PartnerOrgGuid",
"imsClientId": "CliendIdOfTechnicalAccToken",
"technicalAccountId": "41AC2000634002540A49403A@techacct.adobe.com",
"status": "INACTIVE",
"updatedBy": "41AC2000634002540A49403A@techacct.adobe.com",
"created": "date",
"modified": "date",
"domains": [
  "partnerdomain.com",
  "partnerdomain.in"
]
}

Errors

Error codes for register partner response

Account APIs

Call these APIs directly using a technical account token to create or update an account.

• POST Account - To create a new account.
• PUT Account - To update a new account.
• GET Account - To fetch an account info.
• GET All Accounts - To fetch all accounts in a channel.

Common account API header attributes

Common header attributes

Create Account

Overview

This API is idempotent. <br/> Repeating a create request with the same account name in the partner's channel returns 201 Created and the existing accountId. <br/> A 409 ACCOUNT_ALREADY_EXISTS error is returned when the name conflicts with an account in a different partner's channel.

Request

Account create-update request parameters

Consumable

Sample Account Provisioning Request

{
    "name": "SignEmbedTestAccount",
    "company": "Sign Embed Test Account",
    "countryCode": "US",
    "consumables":[
        {
            "type": "SEATS",
            "attributes": {
                "cap": 1
            }
        },
        {
            "type": "PHONE_AUTH",
            "attributes": {
                "cap": 1
            }
        },
        {
            "type": "KBA",
            "attributes": {
                "cap": 1
            }
        }
    ]
}

Account creation response object

Sample account creation response

{
  "accountId" : "2aabnucbm3xsdfweldvwporqvjqzxdkjorbikaifuiwufwihs*"
}

Errors

Error codes for AccountCreateErrorResponse

Update Account

Overview

Request

Account update request parameters

Sample Account Update Request

{
  "id":"accountid",
  "name": "SignEmbedTestAccountUpdated",
  "company": "Sign Embed Test Account Updated",
  "consumables":[
    {
      "type": "SEATS",
      "attributes": {
        "cap": 10
      }
    },
    {
      "type": "PHONE_AUTH",
      "attributes": {
        "cap": 10
      }
    },
    {
      "type": "KBA",
      "attributes": {
        "cap": 10
      }
    }
  ]
}

Errors

Error codes for AccountUpdateErrorResponse

Get Account

Overview

Response

Response Object GetAccountResponse

Sample account creation GetAccountResponse

{
  "id":"accountId"
  "name": "SignEmbedTestAccountUpdated",
  "company": "Sign Embed Test Account Updated",
  "consumables":[
    {
      "type": "SEATS",
      "attributes": {
        "cap": 10
      }
    },
    {
      "type": "PHONE_AUTH",
      "attributes": {
        "cap": 10
      }
    },
    {
      "type": "KBA",
      "attributes": {
        "cap": 10
      }
    }
  ],
  "created": "2023-01-17T12:27:08Z"
}

Errors

Error codes for AccountGetErrorResponse

Get All Accounts

Overview

Query Params

Response

Response Object GetAccountResponse

Account

Sample GetAccountsResponse

{
  "accountList": [
    {
      "accountId": "secureAccountId1234",
      "name": "Joes Bike Shop",
      "created": "2023-01-17T12:27:08Z"
    },
    {
      "accountId": "secureAccountId2345",
      "name": "Acme Corp",
      "created": "2023-01-17T12:27:08Z"
    }
  ]
}

Errors

Error Response for Get Accounts

User APIs

Call these APIs directly using a technical account token to create or update an account and users.

• POST User - To add a user to an account.
• PUT User - To update a user.
• GET User - To fetch user info.

data-slots=text

Common user API header attributes

Common user header attributes are identical to the Account APIs.

POST user

Overview

This API is idempotent.<br/> Repeating a create request with the same email in the same account returns 201 Created and the existing userId. <br/>A 409 USER_ALREADY_EXISTS error is returned when the email conflicts with a user in a different account.

Request

Create-update user request parameters

Sample user creation request body

{
  "firstName": "John",
  "lastName": "Doe",
  "email": "johndoe_joesbikeshop@partnerdomain.com",
  "emailAlias":"johndoe@joesbikeshop.com",
  "accountId": "CBJCHBCAABAAyQTAasUNZ-lxF0gKyvZUaB6rQ3UfrKr1",
  "status": "ACTIVE",
  "initials": "JD",
  "phone": "12345678111",
  "title": "SDE",
  "company": "Joes Bike Shop",
  "roles": [
    "ACCOUNT_ADMIN",
    "PRIVACY_ADMIN"
  ]
}

Response

Create User Response

Error

Error codes for UserCreateErrorResponse

PUT User

Overview

Request

Sample update user request body

{
  "id":"userId",
  "firstName": "John",
  "lastName": "Doe",
  "email": "johndoe_joesbikeshop@partnerdomain.com",
  "emailAlias":"johndoe@joesbikeshop.com",
  "accountId": "CBJCHBCAABAAyQTAasUNZ-lxF0gKyvZUaB6rQ3UfrKr1",
  "status": "ACTIVE",
  "initials": "JD",
  "phone": "12345678111",
  "title": "SDE",
  "company": "Joes Bike Shop",
  "roles": [
    "ACCOUNT_ADMIN",
    "PRIVACY_ADMIN"
  ]
}

Errors

Error codes for UserUpdateErrorResponse

GET User

Overview

Response

Get user response attributes

Sample get user response

{
  "id": "userId",
  "email": "johndoe_joesbikeshop@partnerdomain.com",
  "emailAlias": "johndoe@joesbikeshop.com",
  "firstName": "John",
  "lastName": "Doe",
  "accountId": "CBJCHBCAABAAuchiIJRXpJ-IyaFxK6QvRPrLEahWSuRW",
  "status": "ACTIVE",
  "initials": "JD",
  "company": "Joes Bike Shop",
  "roles": [
    "ACCOUNT_ADMIN",
    "PRIVACY_ADMIN"
  ],
  "created": "2023-01-17T12:27:08Z"
}

Errors

Error codes for UserGetErrorResponse

Consumable APIs

Adobe Acrobat Sign supports a variety of authentication methods to ensure the security and integrity of electronic signatures. These methods range from simple, single-factor authentication to more complex, multi-factor authentication options - ensuring that organizations can manage and budget their use according to their security needs and compliance requirements, while also providing flexibility to choose the appropriate level of authentication for different types of transactions.

• Phone Authentication: A six-digit code is sent to the recipient's phone via SMS or voice call, which must be entered to view the agreement. For details, check Phone authentication.

• Knowledge-Based Authentication (KBA): This high-level authentication method is used mainly in financial institutions. It involves answering personal questions derived from public databases and is only available for recipients in the US. For details, check Knowledge-based authentication.

• Government ID Authentication: This method requires the recipient to provide an image of a government-issued ID and a selfie for verification. For details, check Government ID.

data-slots=text

Consumables summary on integration

FilterRequestParams

ConsumableSummaryResponse

ConsumableSummary

ConsumableSummaryResponse

{
  "consumableSummary": [
    {
      "type": "KBA",
      "count": 1
    },
    {
      "type": "PHONE_AUTH",
      "count": 2
    }
  ]
}

Get consumables summary on account level

ConsumableSummaryResponse

{
  "consumableSummary": [
    {
      "type": "KBA",
      "count": 1
    },
    {
      "type": "PHONE_AUTH",
      "count": 2
    }
  ]
}

Get consumables summary details on account level

AccountFilterQueryParams

ConsumableSummaryDetailsResponse

ConsumableSummaryDetails

AddonDetails

ConsumptionResponseReportResponseItemDetail

{
  "page": {
    "nextCursor": "xyzjbjdbjb"
  },
  "agreements": [
    {
      "id": "CBJCHBCAABAA-N0tAR3aLID-u4R5RO",
      "createdDate": 2025-01-10T00:00:15Z,
      "addonDetails": [
        {
          "type": "KBA",
          "count": 1
        },
        {
          "type": "PHONE_AUTH",
          "count": 2
        }
      ]
    }
  ]
}

CommonErrorResponse

Partner APIs Common Headers

GDPR Delete userInfo

The GDPR Delete User API enables partners to delete end users in compliance with GDPR “Right to be forgotten” requirements. This removes the user in a manner that cannot be reversed or retrieved, addressing privacy and compliance issues.

Pre-requisites

• A technical account with the scope sign_account_write_scope is required.

• Only users having both Account Admin and Privacy Admin roles can delete users in their account.

• The user that needs to be deleted must be marked as inactive.

Steps to delete a user:

• Generate a technical account token.

• Use this token to obtain a user embed token for the account admin who has both required roles.

• Update the user status you want to delete to “INACTIVE.”

• Call the GDPR Delete User API using the same embed token to permanently remove the user.

Delete userInfo as per GDPR compliance

QueryParams

Partner APIs Common Headers

SuccessResponse

ErrorResponse

© Copyright 2023, Adobe Inc.. Last update: Oct 07, 2025.