Online API
Flow that runs through the entire Certillion API structure, from the initial request steps to response delivery.
Documentation
Online API
Full description, parameters and return codes of all Certillion API methods.
authorize
/css/restful/application/oauth/authorize
The first step is to create an authorization request containing the parameters necessary for the PSC to identify the client application. Next, it is important to request authorization from the user, according to the requested usage permission. Oauth2 Standard
The authorization request is made, including parameters such as response type, application identification, code challenge, challenge method, PSC, redirect URI, scope and other optional parameters. If successful, the response includes an authorization code.
Method: GET
PARAMETERS
| code_challenge | Value used to protect the authorization code grant, ensuring that the person who initiated the request will be the one who exchanges the authorization code for the access token. |
| code_challenge_method | fixed value “S256” Value corresponding to the method used in the proof key (code_verifier) to derive the challenge (code_challenge). |
| manager_id | Token that identifies the application that wants to use the API (Provided by e-Sec) |
psc [optional] | PSC that will be used. |
| response_type | The fixed value “code” |
lifetime [optional] | Indicates the desired lifetime for the token to be generated. Integer, in seconds. |
login_hint [optional] | User identifier |
redirect_uri [optional] | Must have the URI to redirect the user back to the originating application. |
state [optional] | Code for identifying the application state. |
scope [optional] | Available values: single_signature, multi_signature, signature_session |
Error codes:
| Code HTTP | Description | Suggested Action |
| 404 (NOT_FOUND) | Returned when the Certillion API was unable to communicate with the PSC. | First, it is necessary to redo the request; additionally, it is crucial to ensure that the credentials are correct. |
In this method, it is necessary to provide a code_challenge.The code_challenge is a SHA256 hash of the code_verifier, encoded in URL Base64. First, the code_verifier is stored in the application for later use, while the code_challenge is sent along with the authorization request. For more information, see the PKCE RFC .
For example, for the Java platform, this information can be generated using the code below, or equivalent:
var crypto = require('crypto') function base64URLEncode(str) { return str.toString('base64') .replace(/\+/g, '-') .replace(/\//g, ' _') .replace(/=/g, ''); |
certificate-discovery
/css/restful/application/certificate-discovery
Recovers the certificate authorized by the user to perform digital signature .
Method: GET
The parameters returned by the request are:
| Parameter | Description |
| Status | Object containing the request status code, name and details</span > |
| Certificates | Array containing the certificates found, contains you fields serial_number, subject_dn, issuer_dn, not_before, not_after, alias, status, certificate, issuer_certificate |
Error codes:
| HTTP Code | Error Code | Description | Suggested Action |
| 401 (UNAUTHORIZED) | 249 (TOKEN_VALIDITY_INVALID) 250 (INVALID_ACCESS_TOKEN) 209 (BAD_AUTHENTICATION) | Returned when the Authorization field passed is wrong or expired. | Redo the request ensuring that the Authorization is correct. |
401 (UNAUTHORIZED)</ td> | 218 (USERS_EXCEEDED_MAXIMUM_ALLOWED) | Returned when the accesses contracted to the PSC in question have been exhausted. | Check the status of your account with the PSC.</ td> |
| 400 (BAD_REQUEST) | 205 (REQUEST_BAD_DATA) | < span style=”font-weight: 400;”>Returned when there is a problem executing the request. | Redo the request after review it ensuring that it is in accordance with what is expected by method. |
| 404 (NOT_FOUND) | 620 (CERTIFICATE_NOT_FOUND) | Returned when:< /p> – There is no certificate in the PSC slot; – The Alias provided does not match any certificate in the PSC slot. | Remake the request, providing an alias correct. |
| 500 (INTERNAL_SERVER_ERROR) | 224 (ERROR_DURING_AUTHENTICATION) | Returned when there is an unexpected failure in processing the request. | Redo the request after reviewing it, ensuring that it is in accordance with the method’s expectations.</span > If the error persists, contact Certillion support. |
| 504 (GATEWAY_TIMEOUT) | 301 (TIMEOUT) | Returned when there is a timeout in communication with the PSC. This may be caused by some unavailability or slowness on the part of the PSC. | Wait a few minutes and redo the request. |
HEADERS
| Authorization | Receives the value of the access_token generated by the 2.2 token call. |
client_maintenance
/css/restful/application/oauth/client_maintenance
The method allows the maintenance of information of an application. Developers can register or update essential data, such as name and callback addresses, using tokens provided by e-Sec. The server responds with appropriate codes in cases of incorrect authorization or malformed request. Essential for effective application administration in Certillion, the method facilitates secure and reliable integration.
Method: POST
Parameter description:
| Parameter | Description |
| client_id | Token that identifies the API user application (Provided by e-Sec) |
| client_secret | Application secret token (Provided by e-Sec) |
| comments | General observations on the use of the application being registered |
| Email for support in case of unavailability, change of version, among others | |
| name | Name/description of the application |
| redirect_uris | Application server callback addresses that the Certillion API should call when the signature is completed |
Possible errors returned by the server:
| HTTP Codes | Description | Suggested Action |
| 401 (UNAUTHORIZED) | Returned when the authorization field passed is wrong or expired. | It is necessary to redo the request to ensure that the authorization is correct. |
| 400 (BAD_REQUEST) | Returned when the JSON request sent is malformed. | It is necessary to first redo the request after reviewing it, also ensuring that its format is as expected by the method. |
| 500 (INTERNAL_SERVER_ERROR) | Returned when there is an unexpected failure in processing the request. | Review the submitted request ensuring that its structure is correct. If the error persists, contact Certillion support. |
HEADERS:
| Authorization | {{token: }} Receives the value of the access_token that could have been generated by either the 1.1 client_token call or the 2.2 token call. |
| Content-Type | application/json The content of the request body must be in JSON format. { “name”: “{NAME}” “{REDIRECT_URIS} |
client_token
/css/restful/application/oauth/client_token
The method is used to obtain a client token, essential for querying users and preparing signatures to be performed by the signer. The request response includes the access_token, required to use other system resources, along with the token’s validity (expires_in), the token type (token_type – fixed as ‘Bearer’), and the desired lifetime for the generated token (lifetime in seconds), allowing secure and authorized interaction with other system resources.
Method: POST
The request response contains the following data:
| Parameter | Description |
| access_token | Access token required to use other system resources |
| expires_in | Token validity returned |
| token_type | Token type, fixed value ‘Bearer’ |
| lifetime | Indicates the desired lifetime for the generated token. Integer, in seconds. |
Error codes:
| HTTP Code | Description | Suggested Action |
| 401 (UNAUTHORIZED) | Returned when the credentials passed are incorrect (client_id and/or client_secret) | Remake the request ensuring that the credentials are correct. |
| 500 (INTERNAL_SERVER_ERROR) | Returned when there is an unexpected failure while processing the request. | Redo the request after reviewing it and ensuring that its format is as expected by the method. If the error persists, contact Certillion support. |
HEADERS
| Content-Type | application/x-www-form-urlencoded The body of the request when sent has the format of a query string separated by &. |
BODY
{ “client_id”: "{CLIENT_ID}", “client_secret”: "{CLIENT_SECRET}", |
document (download)
/css/restful/application/oauth/document/{transaction}
This method of the Certillion API is used to download the signature in attached format. The transaction ID that was returned in the call must be informed in the call/signature in order to download the signed file.
If the operation is successful, the request returns a byte[].
Method: GET
HEADERS
| Authorization | Receives the value of the access_token that may have been generated by either the call 1.1 client_token and by the 2.2 token call. |
Error codes:
| HTTP Code | Description | Suggested Action |
| 401 (UNAUTHORIZED) | Returned when the Authorization field passed is wrong or expired. | Remake the request ensuring that the Authorization is correct. |
| 404 (NOT_FOUND) | Returned when: – There is no transaction associated with the passed transaction id; – The transaction ndoes not belong to the company that made the request; | Remake the request ensuring that the transaction id passed is valid and that it is linked to a transaction of your company. |
| 400 (BAD_REQUEST) | Returned when: – There is no valid signature to perform the download; – The signature pattern used in the transaction does not accept the download; | Remake the request using another id transaction. |
| 500 (INTERNAL_SERVER_ERROR) | Returned when there is an unexpected failure while processing the request. | Redo the request after reviewing it to ensure that it complies with the method’s expectations. If the error persists, contact Certillion support. |
document (upload)
/css/restful/application/oauth/document
This method allows you to request the signing of a batch of documents to the Certillion API, first requiring the upload of all the files that make up the batch. When sending the files to the server, the call returns the status of the operation, including the code, name and details in the status field, in addition to the hash of the uploaded document.
If errors occur, such as problems reading the file, the server returns corresponding HTTP codes with specific descriptions, suggesting actions to correct the identified problems, such as ensuring the authorization is correct or reviewing and resending the request.
Method: POST
Parameters returned by the request:
| Parameter | Description |
| document_hash | Base64 encoded string of the hash of the document |
| file | Must receive as value the document or documents to be sent to the Certillion API for signature. |
| status | Operation status, object containing the code, name and detail pairs. |
Error codes:
| HTTP Code | Description | Suggested Action |
| 401 (UNAUTHORIZED) | Returned when the passed Authorization field is wrong or expired. | Redo the request ensuring that the authorization is correct. |
| 400 (BAD_REQUEST) | Returned when there is a problem reading the sent file. | Redo the request ensuring that the file is not corrupted. |
| 500 (INTERNAL_SERVER_ERROR) | Returned when there is an unexpected failure in processing the request. Possibly caused by the failure to complete the authorization form or the attempt to upload an empty file. | Redo the request after reviewing it, ensuring that it complies with the method’s expectations. If the error persists, contact Certillion support. |
HEADERS
| Accept | application/json |
| Authorization | Receives the value of the access_token that may have been generated by either the 1.1 client_token call or the 2.2 token call. |
| Content-Type | multipart/form-data Allows the sending of large amounts of binary data, useful for sending large batches of files |
BODY:
{ “file”: “{FILE}” } |
find-psc-accounts
/css/restful/application/oauth/find-psc-accounts
Certillion API method that finds PSC accounts by legal identifier, can be a CPF or CNPJ.
Method: POST
Description of the parameters present in the body of the request:
| Parameter | Description |
| client_id | Token that identifies the application that wants to use the API (Provided by e-Sec) |
| client_secret | Application secret token (Provided by e-Sec) |
| user_cpf_cnpj | Must be filled in according to the search, CPF for CPF search and CNPJ for CNPJ search |
| val_cpf_cnpj | CPF or CNPJ number to be searched |
Error codes:
| HTTP Code | Description | Suggested Action | |
| 401 (UNAUTHORIZED) | Returned when the Authorization field passed is wrong or expired. | Remake the request ensuring that the Authorization is correct. | |
| 400 (BAD_REQUEST) | Returned when the val_cpf_cnpj field is not filled in. | Redo the request after reviewing it, ensuring that it complies with the method’s expectations. | |
| 500 (INTERNAL_SERVER_ERROR) | Returned when there is an unexpected failure in processing the request. | method. If the error persists, contact Certillion support. | |
| 504 (GATEWAY_TIMEOUT) | Returned when there is a timeout in communication with the PSC. It may be caused by some unavailability or slowness on the part of the PSC. | Wait a few minutes and redo the request. |
HEADERS
| Authorization | Receives the value of the access_token generated by the 1.1 client_token call. |
BODY
{ “client_id”: "{CLIENT_ID}", “client_secret": "{CLIENT_SECRET}", “user_cpf_cnpj": "{CPF}", “val_cpf_cnpj": "{USERNAME}" } |
psc-info
/css/restful/application/oauth/psc-info
Certillion API method that allows querying the Certification Service Providers (PSC) accepted by Certillion. Users can obtain a complete list of the PSCs that the application recognizes and accepts for digital certification and authentication processes, ensuring that users can easily identify and use the digital certification services compatible with Certillion.
Method: GET
Parameter description:
| Step | Description |
| /psc-info | Call that fetches all PSCs compatible with the Certillion API |
otp_authorize
/css/restful/application/oauth/otp_authorize
Cer API Method Tillion for request the generation of a system access token based on the OTP for using the certificate provided by the Certillion application (available for MacOS, Windows, Linux, Android)and iOS).
Method: POST
Description of the parameters present in the request body:
| Parameter | Description |
| client_id | Token that identifies the application that wants to use the API (Provided by e-Sec) |
| client_secret | Application secret token (Provided by e-Sec) |
| lifetime | Desired expiration time for the requested access token, in seconds. OTP code for using the certificate provided by the Certillion application |
| scope | “signature_session” |
| user: name | Recipient’s CPF or CNPJ |
Error codes:
| HTTP Code | Description | Suggested Action |
| 401 (UNAUTHORIZED) | Returned when: – The credentials passed are incorrect; – There is no OTP for the user; – The OTP passed is invalid. | Redo the request ensuring that the OTP and authorization credentials are correct. |
| 500 (INTERNAL_SERVER_ERROR) | Returned when there is an unexpected failure in processing the request. | Redo the request after reviewing it ensuring that it is in accordance with what is expected by the method. If the error persists, contact support. Certillion. |
HEADERS
| Content-Type | application/json The body content of the request must be in JSON format. |
BODY
{ “client_id”: "{CLIENT_ID}, “otp”: "{OTP}", “scope”: "{SCOPE}",“lifetime”: "{LIFETIME}" |
pwd_authorize
/css/restful/application/oauth/pwd_authorize
Certillion API method that requests the generation of an access token to the system, it is not supported by all PSCs.
Method: POST
Description of the parameters present in the body of the request:
Available values: single_signature, multi_signature, signature_session
| Parameter | Description |
| client_id | Token that identifies the application that wants to use the API (Provided by e-Sec) |
| client_secret | Application secret token (Provided by e-Sec) |
| lifetime | Desired validity time for the requested access token, in seconds |
| password | OTP code of the recipient |
psc_id [optional] | Requester identifier provided by PSC. |
psc_secret [optional] | Applicant password to access PSC |
psc</ span> [optional] | Name of the psc desired by the requester |
| scope | |
| username | CPF or Recipient’s CNPJ |
Error codes:
| HTTP Code | Description | Suggested Action< /b> |
| 400 (BAD_REQUEST) | Returned when: – The PSC you want to use is disabled;</ span> – The signature pattern used in the transaction does not accept the download; | Remake the request using another transaction ID. |
| 401 (UNAUTHORIZED) | Returned when the credentials passed are incorrect. | Remake the request ensuring that the authorization credentials (both of the company and the user) are correct. |
| 500 (INTERNAL_SERVER_ERROR) | Returned when there is an unexpected failure in processing the request. | Redo the request after reviewing it, ensuring that it is in accordance with the method’s expectations.</span > If the error persists, contact Certillion support. |
| 501 (NOT_IMPLEMENTED) | Returned when the pwd_authorize method is not supported by the PSC; | Remake the request using another PSC. |
| 504 (GATEWAY_TIMEOUT | Returned when there is a timeout in communication with the PSC. It may be caused by some unavailability or slowness on the part of the PSC. | Wait a few minutes and redo the request.< /td> |
HEADERS
Content-Type
application/json The content of the request body must be in JSON format. |
BODY
{ “client_id”: "{CLIENT_ID}", “client_secret”: "{CLIENT_SECRET}", |
signature
/css/restful/application/oauth/signature
Certillion API method used to sign a batch of documents (one or more). This way the user can sign all the documents in a single step, providing your credentials only once. You must upload the files to be signed beforehand. This method is ideal for signing large documents in PDF (simple and PAdES), XML, DOC, and other formats.
Method: POST
Description of the parameters present in the body of the request. The values in bold are the default: signature_standard
| Parameter | Description |
certificate_alias [optional] | Identifier of the certificate corresponding to the key used in the signature.</span > |
| detached | true for detached or false for attached |
| hashes | Hashes of documents previously uploaded to the Certillion server, each document has an id, an alias, a calculated hash, an [optional] hash_algorithm that defines the type of hash generation and, finally, [optional] signature_standard_options that defines more signature options (detailed in the table below) |
| pki_name | ICP_BR |
| signature_policy | AD-RB, AD-RT, AD-RV, AD-RC or AD-RA |
| PADES, PADES_ICP_BR, CADES or XADESj |
Note: The signature_standard PADES does not require signature_policy.
signature_standard_options parameters:
| Parameter | Description |
| digest_method | SHA1, SHA512, SHA256 (Default) |
| pdf_options | Defines parameters: for signature visible on pdf. |
| xml_options | Defines parameters for xml signature. |
visible_signature_options parameters:
| Parameter | Description |
| distance_x | Position on the x-axis from the left margin. Default: 0 |
| distance_y | Position on the y-axis from the bottom margin. Default: 0 |
| height | Signature field height. Default: 100 |
| image_data | Signature image encoded in Base64. If an image is not provided, the information passed in the image_zoom and image_position fields will be disregarded. |
| image_position | Position of the signature image on the PDF document page. Possible values: LEFT, RIGHT, TOP, BOTTOM, BACKGROUND Default: LEFT |
| image_zoom | Increases or decreases the size of the signature image. Default 1.0 |
| page_number | The page on which the visual signature will be inserted. Default: 1 |
| position_on_page | Signature position on the page. Possible values: TOP_LEFT, TOP_CENTER < span style=”font-weight: 400;”>TOP_RIGHT, CENTER_LEFT, MIDDLE, CENTER_RIGHT, BOTTOM_LEFT, BOTTOM_CENTER, BOTTOM_RIGHT. Default: TOP_LEFT |
| signature_field_name | Name of the PDF field where the visible signature will be inserted. If this property is filled in, all fields above it in this table will be disregarded. |
| text | Signature text. If this property is not filled in, all other properties in this table will be disregarded. |
| text_alignment | Alignment of the signature text. Possible values: LEFT, RIGHT, CENTER. Default: LEFT |
| text_font | Font that will be used in the signature text. Possible values: HELVETICA, TIMES_ROMAN, COURIER. Default: HELVETICA |
| text_font_size | Font size used in the text signature. Default: 10 |
| text_padding | Signature text padding. Default: 0 |
| visual_rotation | Signature rotation angle. Possible values: NONE, ROTATION_90 , ROTATION_180 , ROTATION_270 Default: NONE |
| width | Signature field width. Default: 200 |
Signature parameters xml_options:
| Parameter | Description |
| add_key_val | true/false – To add a key value. |
| add_subject_name | true/false – To add a subject. |
| attribute_id_name | ID attribute name, ex: id, Id or ID (mutually exclusive with elements_id |
| elements_id | List of element IDs to be signed. |
| elements_name | List of element names to be signed (used in conjunction with attribute_id_name) |
| multiple_signatures | true/false – Indicates whether an additional transformation should be applied. |
| remove_signature_id | true/false – Removes signature. |
Parameters returned by the request:
| Parameter | Description |
| policy_id | ID of the policy used in the signature |
| signatures | Array containing the details of the signatures performed |
| signer_certificate | Object containing the details of the certificate used in the signatures |
| signer_indentifier | CPF or CNPJ of the signer |
| status | Object containing the status code returned by the request, the name and details |
Status codes error:
| HTTP Code | Error Code | Description | Suggested Action |
| 401 (UNAUTHORIZED | 249 (TOKEN_VALIDITY_INVALID) 250 (INVALID_ACCESS_TOKEN) 209 (BAD_AUTHENTICATION) 807 (INVALID_CREDENTIALS) | Returned when the Authorization field passed is incorrect or expired. | Remake the request ensuring that the Authorization is correct. |
| 401 (UNAUTHORIZED) | 218 (USERS_EXCEEDED_MAXIMUM_ALLOWED) | Returned when the accesses contracted to the PSC in question have been exhausted. | Check the status with the PSC of your account. |
| 400 (BAD_REQUEST) | 620 (CERTIFICATE_NOT_FOUND) | Returned when there is no valid certificate to use for signing. | Remake the request using a PSC that has a valid certificate. |
| 400 (BAD_REQUEST) | 711 (DOCUMENT_NOT_FOUND) | Returned when the document was not found. Possibly caused by the document not having been uploaded previously. | Reupload the document and redo the signature request. |
| 400 (BAD_REQUEST) | 713 (WRONG_DOCUMENT_TYPE) | Returned when the type of document sent does not match the requested signature standard e.g.: XML document sent for a PAdES signature that requires PDF. | Redo the request using the appropriate document type for the requested signature pattern. |
| 400 (BAD_REQUEST) | 600 (CERTIFICATE_INVALID) | Returned when the certificate used is not supported by the signature policy or its chain is invalid. | Remake the request using a valid certificate for the requested policy. obs: ICP-Br policies only accept ICP-Br certificates |
| 400 (BAD_REQUEST) | 702 (ERROR_ON_PREPARE_SIGNATURE) | Returned when there is a problem with the document hash. | Remake the request after checking if the hash of the document being passed as a parameter is correct |
| 400 (BAD_REQUEST) | 200 (REQUEST_MISSING_PARAM) | Returned when any mandatory parameter is empty. | Remake the request filling in the mandatory parameters. |
| 500 (INTERNAL_SERVER_ERROR) | 224 (ERROR_DURING_AUTHENTICATION) | Returned when there is an unexpected failure while processing the request. | Redo the request after reviewing it to ensure that it is as expected by the method. If the error persists, contact Certillion support. |
| 504 (GATEWAY_TIMEOUT) | 301 (TIMEOUT) | Returned when there is a timeout in communication with the PSC. It may be caused by some unavailability or slowness on the part of the PSC. | Wait a few minutes and redo the request. |
Finally, it is worth noting that, in addition, for the document to be downloaded, it is necessary that the value of the transaction field be passed to the URL of the download request.
HEADERS
| Authorization | {{token}} Receives the value of the access_token that may have been generated by either call 1.1 client_token or call 2.2 token. |
| Content-Type | application/json The content of the request body must be in JSON format. “signature_policy”: “SIGNATURE_POLICY”, “alias”: “{ALIAS}”, “hash”: “{DOCUMENTO_HASH}” } |
token
/css/restful/application/oauth/token
Second stage of Oauth2. Request for an application to obtain an access token.
The code from step 1 is exchanged for an access token through a POST request to the URL /oauth/token. The response contains the access token, its expiration time, scope, authorized identification type, and possible associated HTTP error messages, thus providing the basis for secure authentication and authorization in a system, with optional support for different scopes of operation.
Method: POST
The parameters returned by the call are as follows:
| Parameter | Description |
| access_token | Access token required to use other system resources |
| authorized_identification | Value corresponding to the CPF or CNPJ associated with the certificate holder |
| authorized_identification_type | Must contain “CPF” for individuals or “CNPJ” for legal entities |
| error | Represents the error code. Possible values for the HTTP Status Code error parameter: invalid_request,invalid_grant,invalid_client,unsupported_grant_type,server_error |
| error_description | Error description |
| error_uri | URI of the documentation describing the error |
| expires_in | Token validity returned |
| scope | Available values: single_signature(Signs only 1 document), multi_signature(Signs more than 1 document), signature_session(Creates a signature session. During the period in which the session is open, all signatures will be made without requiring new authorization) |
Below is an example of a response to a token request:
Error codes:
| HTTP Code | Error | Description | Suggested Action |
| 400 (BAD_REQUEST) | SERVER_ERROR | Returned when: – The informed PSC is not valid; – The informed PSC is disabled. | Remake the request after reviewing it, ensuring that it is in accordance with what is expected by the method. |
| 400 (BAD_REQUEST) | INVALID_REQUEST | The manager_secret parameter cannot be empty. | Remake the request by correctly filling in the code or manager_secret parameter. If you do not have a callback URL registered, contact Certillion support. |
| 400 (BAD_REQUEST) | INVALID_GRANT | Returned when: – The code parameter is wrong; – The manager_id parameter is invalid; – The company does not have a previously registered callback URL; | Remake the request by correctly filling in the code or manager_secret parameter. If you do not have a registered callback URL, contact Certillion support. |
| 400 (BAD_REQUEST) | INVALID_REQUEST | Returned when: – The manager_id, code or code_verifier parameter is empty; – The PSC does not have a valid certificate to use in a signature; | Remake the request filling in the missing parameter. If the PSC does not have a valid certificate, it will be necessary to contact the PSC to obtain a new certificate. |
| 500 (INTERNAL_SERVER_ERROR) | SERVER_ERROR | Returned when there is an unexpected failure in processing the request, or when a mandatory parameter of the request is not sent. | Redo the request after reviewing it to ensure that it complies with the method’s expectations. If the error persists, contact Certillion support. |
HEADERS
| Content-Type | application/x-www-form-urlencoded |
BODY< /span>
{ |
In this Certillion API method, it is necessary to provide a code_verifier.
For example, for the Java platform, this information can be generated using the code below or, alternatively, an equivalent:
var crypto = require('crypto')
function base64URLEncode(str) {
return str.toString('base64')
.replace(/\+/g, '-')< br class="xliff-newline" /> .replace(/\//g, '_')
.replace(/=/g, ''); |
token-command
/css/restful/application/oauth/token-command
Certillion API method that allows tokenization management (creation, status query and revocation).
Method: POST
Description of the parameters passed in the request body:
| Parameter | Description |
| lifetime | Desired validity time for the requested access token |
| operation | Operation to be passed to the server |
| PSC | PSC on which you want to perform the operation , currently supports the following PSCs: VAULTID and BIRDID |
| scope | Available values: single_signature, multi_signature, signature_session |
| user_id | CNPJ of the applicant |
| user_secret | Requester password |
Error Codes
| HTTP Code | Error Code</b > | Description | Suggested Action |
| 401 (UNAUTHORIZED) | 250 (INVALID_ACCESS_TOKEN) 209 (BAD_AUTHENTICATION) | Returned when the passed Authorization field is wrong or expired. | Redo the request ensuring that the Authorization is correct. |
| 401 (UNAUTHORIZED) | 218 (USERS_EXCEEDED_MAXIMUM_ALLOWED) | Returned when contracted accesses to the PSC in question have been exhausted. | Check the status of your account with the PSC. |
| 400 (BAD_REQUEST) | 205 (REQUEST_BAD_DATA) | Returned when there is a problem executing the token command. | Remake the request after reviewing it to ensure that it complies with the method’s expectations. |
| 500 (INTERNAL_SERVER_ERROR) | 224 (ERROR_DURING_AUTHENTICATION) | Returned when there is an unexpected failure in processing the request. | Remake the request after reviewing it, ensuring that it complies with the method’s expectations. If the error persists, contact Certillion support. |
HEADERS
newline” /> “operation”: “{OPERATION}”,
“psc”: “{PSC}”
}
| Authorization | {{token}} Receives the value of the access_token that may have been generated by either the 1.1 client_token call as for the 2.2 token call. |
| Content-Type | application/json The content of the request body must be in JSON format. </ td> |
user-discovery
/css/restful/application/oauth/user-discovery
This Certillion API method performs a query on the Certillion API service to verify the existence of a certificate associated with a CPF or CNPJ.
Method: POST
Description of the request body parameters:
| Parameter | Description |
| client_id | Token that identifies the application that wants to use the API (Provided by e-Sec) |
| client_secret | Secret token of the application (Provided by e-Sec) |
| psc | PSC for which you want to search for CPF/CNPJ, the supported PSCs are: VAULTID, BIRDID, REMOTEID, NEOID, SAFEID, VIDAAS |
| user_cpf_cnpj | Must be filled in according to the search, CPF for Individual search and CNPJ for Legal Entity search |
| val_cpf_cnpj | CPF or CNPJ number to be searched |
Error codes:
| HTTP Code | Description | Action Suggested |
| 401 (UNAUTHORIZED) | Returned when the authorization field passed is wrong or expired. | Remake the request ensuring that the authorization is correct. |
| 400 (BAD_REQUEST) | Returned when the PSC is disabled or when an invalid PSC is used. | Remake the request using a PSC valid. |
| 500 (INTERNAL_SERVER_ERROR) | Returned when there is an unexpected failure in processing the request. Possibly caused by the lack of completion of a mandatory parameter or its absence in the request. | Redo the request after reviewing it ensuring thatits format is as expected by the method. If the error persists, contact Certillion support. |
HEADERS
| Content-Type | application/json The content of the request body must be in JSON format. |
BODY
{ “client_id”: "{CLIENT_ID}", “client_secret": "{CLIENT_SECRET}", “user_cpf_cnpj": "{CPF}", “val_cpf_cnpj": "{USERNAME}", “psc": class="xliff-newline" />} |
validate
/css/restful/application/signature/validate
This Certillion API method validates CAdES and PAdES signatures made by another system (the signatures returned by Certillion are always valid), including checks according to the ICP-Brasil and PKIX standards specifications. The validation is comprehensive, covering the certification chain, certificate revocation lists (CRLs) and online certificate status protocol (OCSP).
To validate a PDF signature, it is necessary to send the signed PDF file in the “signature” field (in base64) without the need to send content and document_hash. Alternatively, the hash of the PDF file that is saved on the server can be sent in the same “signature” field.
For attached signatures where the file is not a PDF, you must send the file in base64 in the “signature” field.
In the case of detached signatures, the signature must be in the “signature” field. In this call, the signed file can be in the content field (base64) or saved on the server and its hash sent in the “document_hash” field.
The header must contain the access token generated by the 1.1 client_token or 2.2 token calls, and the body must be in JSON format, containing the parameters required for validation.
Method: POST
Description of the parameters passed in the body of the request:
| Parameter | Description |
| content | Receives the file in base 64 for the case of detached signature validation |
| document_hash | Hash of the document to be validated |
| pki_name | Public Key Infrastructure used in the API request, the default value of the field is ICP BR |
| signature | In this field you must send the file to be validated in base 64 for attached files that are not PDF, the file in base 64 together with the hash for PDF files or the signature for detached files. In the case of PDF attached it is possible to send the file in base 64 without the need to send content and document_hash. |
Error codes:
| HTTP Code | Error Code | Description | Suggested Action |
| 401 (UNAUTHORIZED) | 250 (INVALID_ACCESS_TOKEN) 209 (BAD_AUTHENTICATION) | Returned when the Authorization field passed is incorrect or expired. | Remake the request ensuring that the Authorization is correct. |
| 401 (UNAUTHORIZED) | 218 (USERS_EXCEEDED_MAXIMUM_ALLOWED) | Returned when the contracted accesses to the PSC in question have been exhausted. | Check the status of your account with the PSC. |
| 400 (BAD_REQUEST) | 205 (REQUEST_BAD_DATA) | Returned when:</p > – The certificate chain is incomplete; – The certificate chain is invalid; – There is a cryptographic error in the signature; – There is an error in the signature encoding; – The algorithm used to perform the signature is not supported by Certillion; – The file format is not supported; – Signature verification failed; – Signature policy verification failed; | Review the submitted signature based on the returned error. |
| 400 (BAD_REQUEST) | 711 (DOCUMENT_NOT_FOUND) | Returned when the Certillion API was unable to locate the original document to validate the signature. | Send signature in attached format. |
| 500 (INTERNAL_SERVER_ERROR) | 205 (REQUEST_BAD_DATA)</ p> | Returned when there is an unexpected failure in processing the request. | Redo the request after reviewing it, ensuring that it is in accordance with the method’s expectations. If the error persists, contact Certillion support. |
HEADERS
| Authorization | {{token}} Receives the value of the access_token that may have been generated by either the 1.1 client_token call or the 2.2 token call. |
| Content-Type | application/json The content of the request body must be in JSON format. |
BODY:
{
“signature”: “{SIGNATURE}”,
“content”: "{CONTENT}",
“document_hash”: "{DOCUMENTO_HASH}",
“pki_name ": "{PKI_NAME}"
} |
Status codes returned by Certillion calls
Status codes error:
| Name | Code | |
| REQUEST_OK | 100 | Request accepted by the receiver. |
| TRANSACTION_IN_PROGRESS | 110 | The message has been received and still being processed. |
| REGISTRATION_VALID | 120 | You are registered in the system. |
| CERTIFICATE_VALID | 130 | The certificate is valid. |
| CSR_VALID | 131 | The CSR is valid. |
| REVOCATION_ACCEPTED | 132 | The certificate is marked as revoked, then enduser will be informed. |
| SIGNATURE_VALID | ||
| USER_ACTIVE | 150 | User account ready for signature. |
| DEVICE_READY | 151 | Device ready for signature. |
| REQUEST_MISSING_PARAM | 200 | An argument in the request is missing: %S |
| REQUEST_WRONG_PARAM | 201 | Error among the arguments of the request. |
| REQUEST_WRONG_LENGTH | ||
| REQUEST_BAD_FORMAT | 203 | |
| REQUEST_BAD_FORMAT | 203 | Cannot handle given MIME-Type or encoding style. |
| REQUEST_BAD_PROFILE | 204 | The AP requested a key type, key usage or signing policy that the MSS does not support. |
| REQUEST_BAD_DATA | 205 | The enduser’s mobile equipment cannot handle this kind of data. |
| REQUEST_DUPLICATED | 206 | The request or it’s parameters are duplicated. |
| ACCOUNT_NO_BANDWIDTH | 210 | Insufficient bandwidth left to carry out the transaction. |
| ACCOUNT_MAX_TRIES | 211 | Maximum number of tries exceeded. |
| ACCOUNT_NO_CREDIT | 212 | The user must pay for the certificate usage, but he’s out of credit. |
| ACCESS_NOT_AUTHORIZED | 220 | The AP is unknown or the authentication is wrong. |
| ACCESS_NO_HANDSHAKE | 221 | The MSS wants prior to negotiating with the AP the use of XML signatures in the messages. |
< td>This additional service is unknown.</ tr>< td>425The new key is not acceptable.< td>Unique identifier already registered.< /tbody>
| Name | Code | Description | |
| ACCESS_NO_SPECIFIED | 222 | The authentication mechanism was not specified. | |
| TRANSACTION_NOT_AUTHORIZED | 223 | The transaction was not authorized. The specific reason is informed in details. | |
| NETWORK_ERROR | 300 | The MSS could not contact the enduser’s mobile equipment. | |
| td> | |||
| This transaction is unknown. | 310 | This transaction is unknown. | |
| IDENTIFIER_NOT_FOUND | 311 | This enduser is unknown. | |
| SERVICE_NOT_FOUND | 312 | ||
| MOBILE_SIGNATURE_ERROR | 320 | Error during the signature process on the Mobile equipment. | |
| MOBILE_CERTIFICATE_ERROR | 321 | Error during the certificate generation on the mobile equipment. | |
| USER_CANCELED | 400 | The client has canceled the transaction. | |
| MESSAGE_BAD_INTEGRITY | 410 | The integrity check failed. | |
| MESSAGE_BAD_AUTHENTICATION | 411 | The authentication failed. | td> |
| MESSAGE_BAD_ENCRYPTION | 412 | The decryption of the message failed. | |
| MESSAGE_BAD_ENCODING | 413 | The message could not be decoded. | |
| MESSAGE_EXPIRED | 414 | The message has expired. | |
| MESSAGE_WRONG_VERSION | 420</td > | The version of the message is inappropriate for the receiver. | |
| MESSAGE_MISSING_KEY | 421 | The receiver was expecting a symmetric key. | |
| MESSAGE_UNEXPECTED_KEY | 422 | The receiver was not expecting a symmetric key. | |
| MESSAGE_UNEXPECTED | 423 | This message is not supposed to be received at this time. | |
| KEY_EXPIRED | 424 | The authentication key is expired. | |
| KEY_REJECTED | |||
| MESSAGE_NOT_FOUND | 430 | This message doesn’t ‘t exists on the mobile equipment or has been deleted. | |
| USER_NOT_FOUND | 431 | There’s no mobile user with this ID. | |
| INTERNAL_ERROR | 440 | Internal Error. | |
| SERVICE_CANT_ACTIVATE | 450 | This additional service cannot be activated to this mobile or this company. | |
| SERVICE_CANT_USE | 451 | This additional service is not allowed or not supported. | |
| SERVICE_WAS_ACTIVATED | 452 | This additional service was already activated. | |
| PLATFORM_NOT_FOUND | 500 | This platform is unknown. | |
| TOKEN_WRONG | 501 | The token is incorrect. | |
| IDENTIFIER_INVALID | 502 | Unique identifier is invalid. | |
| IDENTIFIER_DUPLICATED | 503 | ||
| CERTIFICATE_INVALID | 600 | The certificate is invalid, no further details. | |
| CSR_INVALID | 601 | The CSR is invalid, no further details. | |
| CRL_INVALID | 602 | The CRL is invalid, no further details. |
< /tr>< td>605The certificate is expired.< tr>CARD_PIN_BLOCKED631The PIN of the smartcard has been blocked.< td>632The smartcard is blocked and can never be used anymore.< td>CERTIFICATE_DUPLICATED< td>The public key in this certificate is different from the public key contained in the CSR.
| Name | Code | < b>Description |
| CERTIFICATE_MALFORMED | 603 | A X509 certificate could not be constructed. |
| CERTIFICATE_REVOKED | 604 | The certificate is revoked. |
| CERTIFICATE_EXPIRED | ||
| CERTIFICATE_NOT_IN_EFFECT | 606 | The current date precedes the one in the NOT_BEFORE field of the certificate. |
| CERTIFICATE_BLOCKED | 607 | The certificate is blocked or in one of the pending operation statuses. |
| CERTIFICATE_NOT_TRUSTED | 608 | The certificate was issued by an unknown or untrusted CA. |
| KEY_SIZE_INVALID | 609 | The certificate uses a key size that’s not supported. |
| CRL_UNAVAILABLE | 610< /td> | The CRL wasn’t available at the time it was tried to download. |
| CERTIFICATE_NOT_FOUND | 620 | No certificate has been found. |
| CHAIN_NOT_FOUND | 621 | Trust chain not found. |
| KEY_NOT_FOUND | 622 | The private key of this certificate has not been found. |
| CARD_ERROR | 630 | The smartcard found an error during the operation. |
| CARD_BLOCKED | ||
| CARD_NOT_PRESENT | 633 | The smartcard is not connected on the mobile equipment. |
| PIN_WRONG | 640 | The pin is wrong. |
| CERTIFICATE_CANT_REVOKE | 650 | This certificate cannot be revoked. |
| 660 | This certificate already exists in the server database and cannot be duplicated. | |
| CERTIFICATE_WRONG_SUBJECT | 661 | The user isn’t the owner of the certificate. |
| KEY_MISMATCH | 662 | |
| SIGNATURE_INVALID | 700 | The signature is not valid. |
| SIGNATURE_CANT_VALIDATE | 701 | Security parameters (certificate, policies, TSA) has a corruption or is wrong. td> |
| TEMPLATE_NOT_FOUND | 710 | The template does not exist. |
| Name | Code | Description |
| DOCUMENT_NOT_FOUND | 711 | The document can not be found on internal storage. |
| WRONG_DOCUMENT_HASH | 712 | The document downloaded on the url has another hash. |
| WRONG_DOCUMENT_TYPE | 713 | The document type doesn’t match the requested standard ( XML or PDF) |
| XMLDSIG_EMPTY_ELEMENT_LIST | 720 | Empty element list in XMLDSig |
| XMLDSIG_ELEMENTS_WITHOUT_ATRIBUTE_ID | 721 | Element tags without attribute id in XMLDSig |
| XMLDSIG_SAME_ID_FOR_MULTIPLE_ELEMENTS | 722< /td> | Same id in multiple elements in XMLDSig |
| XMLDSIG_NO_ELEMENT_FOUND | 723 | No element tag in XMLDSig |
| CONTRACT_NOT_FOUND | 800 | The contract could not be found. |
| DUPLICATED_ACCOUNT | 801 | User CPF already exists in this list |
| MAX_ACCOUNTS_REACHED | 802 | Contract reached max accounts available. |
| ACCOUNT_NOT_REGISTERED | 803 | Account is not registered in company contract. |