4 min read

The CTO’s Dilemma: Build or Integrate?

When a company decides to digitise its contracting flows, the first question that lands on the CTO’s desk is: Can we build this in-house?

The short answer is yes. The smart answer is no. Building your own electronic signature engine effectively means becoming a Trust Service Provider: managing complex cryptography, timestamping, long-term key and document custody, and compliance with changing regulations (eIDAS 2.0, GDPR). It is a never-ending source of technical debt.

The winning strategy for the IT department is to integrate a third-party API that hides all that legal and cryptographic complexity, so the development team can focus on core business. Below are the 4 technical criteria for choosing the right API.

1. Developer Experience (DX): Documentation and Sandbox

For a development team, poor documentation is an immediate blocker. Do not choose a provider on price or brand alone; let your developers evaluate the API first.

What to look for (the developer “happy path”):

  • RESTful API documentation: Clear, modern (OpenAPI/Swagger) with code examples in the main languages (Python, Node.js, PHP, Java).
  • Free sandbox environment: You must be able to test the full integration without touching production and at no cost. Avoid providers that require a contract before giving you a trial API key.
  • Libraries / SDKs: If the provider offers official SDKs, you can cut integration time from weeks to days.

2. Event Architecture: Webhooks vs. Polling

In high-volume processes (e.g. signing 5,000 policies or contracts per day), efficiency is critical.

The technical criterion:
Avoid legacy APIs that force you to do constant polling (asking every minute: “Has they signed yet?”). That overloads your server and wastes API quota.

  • The solution: Require a Webhook-based architecture.
  • The flow: Your system sends the signing request and then steps back. When the user signs (whether 1 minute or 3 days later), the signature API “wakes up” your system with a POST notification (webhook) containing the result. It is asynchronous, efficient and scalable.

3. Compliance as Code: eIDAS Without Hardware

The technical challenge of signing is not drawing a stroke on a PDF; it is ensuring that stroke has legal validity across the EU.

The “frictionless” approach:
Many CTOs worry that eIDAS compliance means forcing users to install software or use card readers.

  • The API solution: Look for an API that offers Advanced Signature with OTP when you need it, or Simple Signature for less demanding flows.
    • You orchestrate the visual flow in your web/app.
    • The API handles sending the requests and retrieving the Audit Trail.
    • Result: Regulatory compliance that is transparent to your frontend.

4. Security, SLA and Scalability

When you integrate an external API into critical processes (hiring, billing), that API becomes part of your infrastructure. If the API goes down, your business stops.

Infrastructure checklist:

  • SLA (Service Level Agreement): Does the provider offer a 99.9% high-availability standard, or commit to four nines (99.99%)? What happens when they fail?
  • Elastic scalability: If you run a Black Friday campaign and go from 100 to 10,000 signatures per hour, does the API hold up or throttle you? Look for providers with modern cloud infrastructure (AWS/Oracle/Azure) that can auto-scale.
  • Data residency: Ensure data centres are in the EU so you can comply strictly with GDPR and avoid unwanted international data transfers.

Frequently Asked Questions (FAQs)

REST or SOAP API?
REST, without question. It is the modern standard, lighter and easier to integrate and maintain than SOAP. Most developers today prefer JSON over XML for readability and efficiency.

How do we handle API authentication?
The standard is API keys or OAuth2 tokens for stronger security. Rotate keys regularly and never expose them in client-side code (frontend).

Can we customise the email the user receives?
Yes. A good API supports white-label or advanced customisation: your logo, your corporate colours and editable text for the signing request email so you keep your brand consistent.

What if our users sign from a native mobile app?
The API should let you generate a unique signing URL per user. You can embed that URL in a WebView inside your app (iOS/Android) so the user signs without leaving your application.

Conclusion

For a CTO, the best signature API is the one that is invisible: easy to integrate, hard to break and legally solid. Do not reinvent the wheel by building your own cryptography. Choose a technology partner that offers a solid API, webhook-based and with native eIDAS compliance, so your team can focus on creating value in your core product.

Ready to get started?

Contact us to share your business project or register now to start trying our services today

Contact us Register now