Stitchflow
Back to directory
SignNow logo

SignNow User Management API Guide

API workflow

How to automate user lifecycle operations through APIs with caveats that matter in production.

UpdatedMar 16, 2026

Summary and recommendation

SignNow exposes user management across two coexisting API surfaces: the v1 REST API at api.signnow.com and the v2 API at api.signnow.com/api/v2.

Auth is OAuth 2.0;

the password grant and authorization code grant are both supported, but Basic Auth (base64-encoded client_id:client_secret) is valid only at POST /oauth2/token - all other endpoints require a Bearer token.

API access requires a paid API plan starting at $84/mo, separate from standard SignNow subscription plans.

The user object exposes fields including id, email, first_name, last_name, active (boolean), type, companies (array), and subscriptions (array), giving integrations enough surface to build a lightweight identity graph against your directory of record.

Key endpoints for user lifecycle management are POST /user (create), GET /user (returns the authenticated user only

not arbitrary users by ID), PUT /user (updates the authenticated user only), and GET /api/v2/organizations/{organization_id}/users (lists team members, requires admin-level token).

The organization_id is not returned in standard user responses and must be retrieved via a separate org lookup - a non-obvious prerequisite that breaks naive provisioning scripts.

Pagination uses offset-based params (per_page / page) with a default page size of 25 and a maximum of 100.

Webhooks are available via POST /api/v2/events and cover user.create, user.update, document.complete, invite.complete, and related events.

Retry behavior on failed deliveries is not fully specified in public documentation;

receivers must implement idempotent processing.

As a fallback, polling GET /user or the org users endpoint is viable but adds latency to provisioning pipelines.

API quick reference

Has user APIYes
Auth methodOAuth 2.0 (password grant and authorization code grant; Basic Auth used only for token issuance)
Base URLOfficial docs
SCIM availableNo
SCIM plan requiredEnterprise

Authentication

Auth method: OAuth 2.0 (password grant and authorization code grant; Basic Auth used only for token issuance)

Setup steps

  1. Register an application in the SignNow Developer portal to obtain a client_id and client_secret.
  2. Base64-encode 'client_id:client_secret' and pass as 'Authorization: Basic ' header to POST /oauth2/token.
  3. Supply grant_type=password with username and password (or grant_type=authorization_code for code flow) to receive an access_token and refresh_token.
  4. Include 'Authorization: Bearer ' on all subsequent API requests.
  5. Use the refresh_token with grant_type=refresh_token to obtain a new access_token before expiry.

Required scopes

Scope Description Required for
* Full access scope granting read/write to all resources including users, documents, and templates. General user management and document operations

User object / data model

Field Type Description On create On update Notes
id string Unique user identifier system-generated immutable Used as path parameter in user endpoints
email string User's email address (login identifier) required supported Must be unique within the account
first_name string User's first name required supported
last_name string User's last name required supported
password string User's password required supported Write-only; never returned in responses
active boolean Whether the user account is active optional supported
created integer (Unix timestamp) Account creation timestamp system-generated immutable
updated integer (Unix timestamp) Last update timestamp system-generated system-generated
type string User type/role within the organization optional supported e.g., 'pro', 'business'
companies array Organizations the user belongs to optional supported
subscriptions array Active subscription details for the user system-generated read-only
primary_email string Primary email address derived from email supported

Core endpoints

Create User

  • Method: POST
  • URL: https://api.signnow.com/user
  • Watch out for: Requires a valid Bearer token from an account with admin/org privileges to create users under a team.

Request example

POST /user
Authorization: Bearer <token>
Content-Type: application/json
{
  "email": "user@example.com",
  "password": "SecurePass1!",
  "first_name": "Jane",
  "last_name": "Doe"
}

Response example

{
  "id": "abc123def456",
  "email": "user@example.com",
  "first_name": "Jane",
  "last_name": "Doe",
  "created": 1700000000
}

Get Current User

  • Method: GET
  • URL: https://api.signnow.com/user
  • Watch out for: Returns the user associated with the Bearer token, not an arbitrary user by ID.

Request example

GET /user
Authorization: Bearer <token>

Response example

{
  "id": "abc123def456",
  "email": "user@example.com",
  "first_name": "Jane",
  "last_name": "Doe",
  "active": true,
  "created": 1700000000
}

Update User

  • Method: PUT
  • URL: https://api.signnow.com/user
  • Watch out for: Updates the authenticated user only; no endpoint to update an arbitrary user by ID via admin token is documented.

Request example

PUT /user
Authorization: Bearer <token>
Content-Type: application/json
{
  "first_name": "Janet",
  "last_name": "Smith"
}

Response example

{
  "id": "abc123def456",
  "first_name": "Janet",
  "last_name": "Smith",
  "updated": 1700001000
}

Issue OAuth Token (Password Grant)

  • Method: POST
  • URL: https://api.signnow.com/oauth2/token
  • Watch out for: Basic Auth header must use base64-encoded 'client_id:client_secret'. Scope '*' is required for full access.

Request example

POST /oauth2/token
Authorization: Basic <base64(client_id:client_secret)>
Content-Type: application/x-www-form-urlencoded

grant_type=password&username=user@example.com&password=SecurePass1!&scope=*

Response example

{
  "access_token": "eyJ...",
  "token_type": "bearer",
  "expires_in": 3600,
  "refresh_token": "def50200..."
}

Refresh OAuth Token

  • Method: POST
  • URL: https://api.signnow.com/oauth2/token
  • Watch out for: Refresh tokens are single-use; store the new refresh_token returned in each response.

Request example

POST /oauth2/token
Authorization: Basic <base64(client_id:client_secret)>
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=def50200...&scope=*

Response example

{
  "access_token": "eyJ...",
  "token_type": "bearer",
  "expires_in": 3600,
  "refresh_token": "ghi60300..."
}

Get Organization Users (Team Members)

  • Method: GET
  • URL: https://api.signnow.com/api/v2/organizations/{organization_id}/users
  • Watch out for: Requires an admin-level token for the organization. organization_id must be retrieved separately.

Request example

GET /api/v2/organizations/org123/users?per_page=25&page=1
Authorization: Bearer <token>

Response example

{
  "data": [
    {"id": "abc123", "email": "user@example.com", "first_name": "Jane", "last_name": "Doe"}
  ],
  "meta": {"total": 50, "page": 1, "per_page": 25}
}

Send Document Invite (user-facing action)

  • Method: POST
  • URL: https://api.signnow.com/document/{document_id}/invite
  • Watch out for: Not strictly a user-management endpoint but commonly used in user provisioning workflows to onboard signers.

Request example

POST /document/doc456/invite
Authorization: Bearer <token>
Content-Type: application/json
{
  "to": [{"email": "signer@example.com", "role": "Signer", "order": 1}],
  "from": "sender@example.com"
}

Response example

{
  "status": "success"
}

Revoke OAuth Token

  • Method: POST
  • URL: https://api.signnow.com/oauth2/token/{access_token}
  • Watch out for: Uses DELETE method despite the /oauth2/token path. Revoking a token immediately invalidates all API calls using it.

Request example

DELETE /oauth2/token/eyJ...
Authorization: Bearer <token>

Response example

{
  "result": "Token has been revoked"
}

Rate limits, pagination, and events

  • Rate limits: SignNow does not publicly document specific rate limit thresholds or per-plan tiers in its developer docs as of the research date.

  • Rate-limit headers: No

  • Retry-After header: No

  • Rate-limit notes: No explicit rate limit values, headers, or Retry-After behavior documented in official sources. API plans start at $84/mo; higher tiers may have higher limits but specifics are not published.

  • Pagination method: offset

  • Default page size: 25

  • Max page size: 100

  • Pagination pointer: per_page / page

  • Webhooks available: Yes

  • Webhook notes: SignNow supports event subscriptions (webhooks) via the /api/v2/events endpoint. Callbacks are sent as HTTP POST to a configured URL when events occur.

  • Alternative event strategy: Polling the /user or /document endpoints as a fallback if webhook delivery is unreliable.

  • Webhook events: document.create, document.update, document.delete, document.complete, invite.create, invite.update, invite.complete, invite.decline, user.create, user.update

SCIM API status

  • SCIM available: No
  • SCIM version: Not documented
  • Plan required: Enterprise
  • Endpoint: Not documented

Limitations:

  • No native SCIM 2.0 endpoint is documented in official SignNow developer docs.
  • SCIM-based provisioning for Okta and Entra ID may be available via IdP-specific connectors at the Enterprise tier, but no vendor-hosted SCIM base URL is publicly documented.
  • User provisioning via IdP connectors (Okta, Entra) requires Enterprise plan per context data.

Common scenarios

Three integration scenarios are well-supported by the documented API surface.

First, provisioning a new team member: authenticate as org admin via POST /oauth2/token (password grant), create the account via POST /user, retrieve the organization_id via GET /api/v2/organizations, then confirm membership via GET /api/v2/organizations/{organization_id}/users.

Note that POST /user creates a standalone account - associating it with a specific org team may require additional steps not fully documented publicly.

Second, maintaining a long-running integration with token refresh: store the refresh_token at initial auth, POST /oauth2/token with grant_type=refresh_token before or on a 401, and replace both tokens in storage immediately.

Refresh tokens are single-use;

concurrent refresh attempts from two processes will break the token chain and force full re-authentication.

Third, event-driven provisioning via webhooks: register events at POST /api/v2/events with a callback URL, scope to entity_id where needed, and handle retries idempotently since delivery guarantees are not specified.

Provision a new team member via API

  1. Authenticate as org admin: POST /oauth2/token with grant_type=password and admin credentials to get access_token.
  2. Create the user account: POST /user with email, password, first_name, last_name in the request body.
  3. Retrieve the organization_id: GET /api/v2/organizations to find the org the admin manages.
  4. Verify the user appears in the org: GET /api/v2/organizations/{organization_id}/users and confirm the new user is listed.

Watch out for: User creation via POST /user creates a standalone account; associating the user with a specific organization/team may require additional org-membership steps not fully documented in public docs.

Refresh an expiring OAuth token in a long-running integration

  1. Store the refresh_token securely at initial authentication.
  2. Before or upon receiving a 401 response, POST /oauth2/token with grant_type=refresh_token and the stored refresh_token.
  3. Replace both the stored access_token and refresh_token with the values returned in the response.
  4. Retry the original failed request with the new access_token.

Watch out for: Refresh tokens are single-use. If two processes attempt to refresh simultaneously, one will fail and the token chain will break, requiring re-authentication with username/password.

Subscribe to user and document events via webhooks

  1. Authenticate and obtain a Bearer token with admin scope.
  2. Register a webhook: POST /api/v2/events with event name (e.g., 'user.create'), callback URL, and entity_id if scoping to a specific document or user.
  3. Validate incoming webhook payloads at your callback URL by checking the event type and entity_id fields.
  4. Handle retries: if your endpoint returns non-2xx, SignNow will retry delivery; ensure idempotent processing.

Watch out for: Webhook reliability and retry behavior are not fully specified in public docs; implement idempotency keys on your receiver to avoid duplicate processing.

Why building this yourself is a trap

The most consequential caveat in the SignNow API is the absence of a true admin-scoped user-update endpoint: PUT /user modifies only the authenticated user, and no documented endpoint allows an admin token to update an arbitrary user by ID.

This limits automated offboarding - deactivating or modifying a specific user's account programmatically is not straightforwardly supported by the public API surface. SCIM 2.0 is not natively available;

IdP-based provisioning via Okta or Entra ID connectors exists at the Enterprise tier but uses connector-specific flows rather than a standard SCIM base URL, which means integrations built against a generic SCIM client will not work out of the box.

Rate limits are entirely undocumented - no thresholds, no rate-limit headers, no Retry-After behavior - so any production integration must implement exponential backoff on 429 responses defensively.

Finally, the v1/v2 API split is a maintenance risk: some user-management operations are only available on v2, and the two surfaces are not fully consistent in their response schemas.

Automate SignNow workflows without one-off scripts

Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.

Every app coverage, including apps without APIs
60+ app integrations plus browser automation for apps without APIs
IT graph reconciliation across apps and your IdP
Less than a week to launch, maintained as APIs and admin consoles change
SOC 2 Type II. ~2 hours of your team's time
Book a Demo

UpdatedMar 16, 2026

* Details sourced from official product documentation and admin references.

Keep exploring

Related apps

Abnormal Security logo

Abnormal Security

API Only
AutomationAPI only
Last updatedMar 2026

Abnormal Security is an enterprise email security platform focused on detecting and investigating threats such as phishing, account takeover (ATO), and vendor email compromise. It does not support SCIM provisioning, which means every app in your stack

Admin guideAPI guide
ActiveCampaign logo

ActiveCampaign

API Only
AutomationAPI only
Last updatedFeb 2026

ActiveCampaign uses a group-based permission model: every user belongs to exactly one group, and all feature-area access (Contacts, Campaigns, Automations, Deals, Reports, Templates) is configured at the group level, not per individual. The default Adm

Admin guideAPI guide
ADP logo

ADP

API Only
AutomationAPI only
Last updatedFeb 2026

ADP Workforce Now is a mid-market to enterprise HCM platform that serves as the HR source of record for employee data — payroll, benefits, time, and talent. User access is governed by a hybrid permission model: predefined security roles (Security Maste

Admin guideAPI guide