The e-signature API built to live inside your product.
The open-source e-signature engine you embed in your own product. Self-host the whole stack or use the managed cloud, with a typed SDK, AI field detection, a real audit trail, and no per-seat billing.
- Typed SDK
- AI field detection
- Embeddable signing
- Drag-drop builder
- Templates & merge
- Bulk send
- Audit trail
- PAdES seal
- Signer auth
- Webhooks
- White-label
- Multi-language
- Reminders
- Teams
- Self-host
- ✓ESIGN / UETA consent
- ✓Append-only audit trail
- ✓PAdES digital seal
- ✓SHA-256 certificate
import { PenpactClient } from '@penpact/sdk';
const penpact = new PenpactClient({ apiKey: process.env.PENPACT_API_KEY! });
const envelope = await penpact.createEnvelope({
documentName: 'Mutual NDA',
signers: [{ name: 'Ada Lovelace', email: '[email protected]' }],
});
await penpact.uploadDocument(envelope.id, pdfBytes);
await penpact.placeFields(envelope.id, [
{ type: 'signature', signerId: envelope.signers[0].id,
page: 1, x: 72, y: 620, width: 200, height: 40 },
]);
// Your signer gets a link, consents, and signs.
// You get back a sealed, PAdES-signed PDF.
await penpact.send(envelope.id);From zero to a sent, sealed document: the whole flow, in one file.
The flow
Four calls. Then evidence.
- 01 Create an envelope
One call with the document name and signers.
- 02 Upload & place fields
Send a PDF, then place fields by coordinate, in the visual builder, or let AI propose them.
- 03 Send
Each signer gets a link, accepts the ESIGN disclosure, and signs by typing, drawing, or entering a step-up code.
- 04 Get a sealed PDF
Penpact flattens the values, seals the PDF, and writes a Certificate of Completion.
Why developers pick it
Built like a developer tool, not a sales funnel.
A typed SDK, not a generated blob
A small, hand-written TypeScript client you can read in one sitting. No 200-method generated object model to learn — just the calls you need, fully typed.
AI field detection
Point Claude at the PDF and it proposes signature, date, and name fields. Review and send. Set ANTHROPIC_API_KEY to enable it when self-hosting.
Self-host in two minutes
docker compose up starts Postgres and the API and prints a working key. Every document stays on your own infrastructure, under AGPL-3.0.
Evidence built in
ESIGN consent, an append-only audit trail with IP and timestamps, a PAdES digital signature on the sealed PDF, and a SHA-256 Certificate of Completion.
No per-seat, no per-page
Usage-based on the managed cloud, free forever when you self-host. Signing is part of your product, not a per-envelope tax on every customer.
Embeddable signing
A hosted signing page and a drop-in, themeable React <Sign/> component. Your users sign inside your product, under your brand.
Questions
E-signature API FAQ
What is Penpact?
Penpact is an open-source e-signature API you embed in your own product. You create an envelope, upload a PDF, place fields, and send; signers consent and sign, and you get back a sealed, PAdES-signed PDF with an audit trail and a Certificate of Completion. Self-host it under AGPL-3.0 or use the managed cloud.
Is Penpact a free DocuSign alternative?
Yes. The core engine is open source under AGPL-3.0, so you can self-host it for free and read the source. The managed cloud is usage-based with no per-seat or per-page billing, and a generous free tier includes embedding and brand theming.
Are signatures collected through Penpact legally binding?
Penpact captures the four elements courts look for: intent, electronic-records consent under the US ESIGN Act, attribution by email and IP, and integrity via a SHA-256 hash plus a PAdES digital signature. It targets simple electronic signatures (SES) under US ESIGN, UETA, and EU eIDAS. It does not yet support EU qualified signatures (QES).
How does AI field detection work?
Point a vision model (Claude, Gemini, or GPT) at the PDF and Penpact proposes signature, name, and date fields for you to adjust in a drag-and-drop builder. When self-hosting, set a provider key to enable it; with no key the endpoint simply returns no proposals instead of failing.
Can I self-host Penpact?
Yes. Running docker compose up starts Postgres and the API and prints a working API key, so the first signed document takes minutes. Every document stays on your own infrastructure, under AGPL-3.0.
Read the source. Run it yourself.
The core engine is on GitHub under AGPL-3.0. Self-host for free, or use the managed cloud when you would rather not run the infrastructure.
Early development (v0.1.0). The API is not stable yet and the consent text is pending a lawyer's review. We would rather say that plainly.