Email-confirmed keys
Every new public key is tied to a one-time email link before it can sign anything.
What it does
Adding a public key is cheap; trusting one is not. DocSign requires email confirmation before any key can produce a signature that counts. The confirmation token is a SHA-256 hash of a random secret, stored single-use with a TTL, and consumed by clicking the link.
How it works
- 1
Generate or paste a public key in the Keys page.
- 2
DocSign emails the registered address with a one-time confirmation link (5-minute TTL).
- 3
Click the link. The token is consumed; the key flips to confirmed and can now sign.
- 4
Until confirmed, the key shows as pending and signing requests against it fail at the server-side verify step.
Why it matters
- Phishing or session takeover can't silently activate a hostile key on your account.
- Same single-use AuthToken pattern as password reset, 2FA reset, and PIN reset โ one well-audited code path.
- The token is hashed at rest; a database leak doesn't yield usable links.
Want to try it?
Most features are available the moment you sign up. No card required.
Related features
Three key-storage modes
Pick where the private key lives โ your machine, your browser, or end-to-end encrypted on the server.
Two-factor authentication (TOTP)
RFC 6238 TOTP with QR enrolment, 8 single-use recovery codes, and email-link reset.
Tamper-evident audit log
Every security-relevant event is recorded with user, action, IP, user-agent, and timestamp.