What is the difference between a digital signature and an electronic signature?

A digital signature is a specific type of electronic signature that uses public key infrastructure (PKI) — a cryptographic certificate issued by a Certificate Authority that mathematically proves the signer's identity and that the document hasn't been altered. An electronic signature is any electronic indication of intent to agree, including clicking a button, typing a name, or drawing a signature on a touchscreen. Digital signatures are a subset of electronic signatures. Most e-signature APIs, including DocuSign and Signbee, provide electronic signatures by default.

Are electronic signatures legally binding without PKI?

Yes. Under the US ESIGN Act (2000), EU eIDAS Regulation, and the UK Electronic Communications Act (2000), electronic signatures are legally equivalent to handwritten signatures for most documents. PKI-based digital signatures (Qualified Electronic Signatures under eIDAS) are only required for specific regulated transactions in the EU, such as certain government filings. For NDAs, employment contracts, SaaS agreements, and most commercial documents, a simple electronic signature is fully enforceable.

When do I need a digital signature instead of an electronic signature?

You need a PKI-based digital signature (or Qualified Electronic Signature) primarily in EU regulated contexts: certain government procurement contracts, notarized documents, real estate transfers in some jurisdictions, and specific financial regulatory filings. In the US, Canada, Australia, and the UK, simple electronic signatures are accepted for virtually all commercial and employment documents. If you're building a SaaS product that serves general business contracts, electronic signatures are sufficient.

Does Signbee provide digital signatures or electronic signatures?

Signbee provides electronic signatures with a cryptographic audit trail. Every signed document includes a SHA-256 hash, timestamped signature event, signer IP address, and user agent — providing tamper evidence and non-repudiation without requiring PKI certificates. This is legally sufficient under ESIGN, UETA, eIDAS (Simple/Advanced level), and the UK ECA for the vast majority of commercial documents.

May 9, 2026 · Developer Guide

Digital Signature vs Electronic Signature: What Developers Actually Need to Know

One uses PKI certificates and cryptographic proofs. The other captures intent with a click. Most developers conflate the two — and end up over-engineering their signing integration. Here's what actually matters.

Michael Beckett

Founder, Signbee

TL;DR

Digital signatures use PKI (public key infrastructure) — cryptographic certificates that prove identity and detect tampering. Electronic signatures capture intent — a click, a typed name, a drawn squiggle. Legally, electronic signatures are binding for 99% of commercial documents under ESIGN, eIDAS, and UK ECA. You only need PKI for specific EU regulated filings. Most e-signature APIs (DocuSign, Signbee, HelloSign) provide electronic signatures by default.

The confusion is understandable

If you search "digital signature API" on Google, every result is about electronic signature APIs. DocuSign calls itself a "digital signature" platform in its meta tags but delivers electronic signatures. HelloSign markets "digital signatures" but uses the same intent-capture model. The terms have become interchangeable in marketing — but they mean fundamentally different things in cryptography and law.

As a developer integrating signing into your application, this distinction matters. Not because you need to implement PKI — you almost certainly don't — but because your stakeholders, legal team, or compliance officers might ask questions that require precise answers.

Electronic signatures: how they work

An electronic signature is any electronic process that indicates agreement. Under the US ESIGN Act, it's defined as "an electronic sound, symbol, or process, attached to or logically associated with a contract." In practice, this means:

Clicking an "I Agree" button✓ Electronic signature

Typing your name in a form field✓ Electronic signature

Drawing on a touchscreen✓ Electronic signature

Uploading a scanned signature image✓ Electronic signature

Email-based confirmation link✓ Electronic signature

The key element is intent. The signer must intend to sign, and the system must capture evidence of that intent. Most e-signature platforms do this by recording the signer's IP address, timestamp, user agent, and the exact document content at the time of signing.

Digital signatures: how they work

A digital signature is a specific type of electronic signature that uses public key infrastructure (PKI). The process involves three components:

1. Certificate Authority (CA)Issues identity certificates

2. Private keySigns the document hash

3. Public keyAllows anyone to verify the signature

When you digitally sign a document, your signing software computes a SHA-256 hash of the document content, encrypts that hash with your private key, and embeds the encrypted hash plus your certificate into the PDF. Anyone can verify the signature by decrypting the hash with your public key and comparing it to their own hash of the document. If the hashes match, the document hasn't been altered since signing.

For a deeper look at how SHA-256 certificate-based signing works under the hood, see our SHA-256 signing explainer.

The comparison that matters

Factor	Electronic signature	Digital signature (PKI)
How it works	Captures intent (click, type, draw)	Cryptographic certificate + hash
Identity verification	Email + IP + timestamp	Certificate Authority-issued cert
Tamper detection	Audit trail hash	Embedded document hash
Legal status (US)	Fully binding (ESIGN/UETA)	Fully binding
Legal status (EU)	Binding (SES/AES level)	Highest weight (QES level)
Setup complexity	API key + one endpoint	CA enrollment + cert management
Cost per signature	$0.50 - $2.50	$50 - $500/year per cert

What e-signature APIs actually provide

Every major e-signature API — DocuSign, HelloSign, PandaDoc, Signbee — provides electronic signatures, not PKI-based digital signatures. When DocuSign says "digital signature," they mean their click-to-sign flow with an audit trail. When you see "digital signature API" in search results, every result is an electronic signature API.

DocuSign does offer a separate "Digital Signatures" product that uses PKI, but it's an add-on for enterprise plans, requires certificate provisioning, and is used by fewer than 5% of their customers (according to their own documentation).

Signbee's approach: electronic signature with cryptographic audit trail

Signbee provides electronic signatures with a comprehensive audit trail that gives you tamper evidence without the complexity of PKI certificate management. Every signed document records:

Signbee audit trail — included with every signed document

{
  "audit_trail": {
    "document_hash": "sha256:a1b2c3d4e5f6...",
    "events": [
      {
        "event": "document.sent",
        "timestamp": "2026-05-09T10:00:00Z",
        "actor": "sender@company.com"
      },
      {
        "event": "document.viewed",
        "timestamp": "2026-05-09T10:05:00Z",
        "ip": "203.0.113.42",
        "user_agent": "Mozilla/5.0..."
      },
      {
        "event": "document.signed",
        "timestamp": "2026-05-09T10:07:30Z",
        "ip": "203.0.113.42",
        "user_agent": "Mozilla/5.0...",
        "signature_hash": "sha256:f6e5d4c3b2a1..."
      }
    ]
  }
}

This audit trail is legally sufficient for all documents covered by ESIGN, UETA, eIDAS (SES and AES levels), and the UK Electronic Communications Act. The SHA-256 hash provides tamper detection — if anyone modifies the PDF after signing, the hash won't match.

Sending a document for electronic signature

Here's what the actual API call looks like. One endpoint, one request, one response. The entire signing flow — document generation, email delivery, signature capture, audit trail, and PDF storage — happens on Signbee's side:

Signbee API — send document for electronic signature

const response = await fetch("https://signb.ee/api/v1/send", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "Authorization": "Bearer YOUR_API_KEY",
  },
  body: JSON.stringify({
    markdown: "# Service Agreement\n\n**Provider:** Acme Corp\n**Client:** Jane Smith\n\nTerms and conditions here...",
    recipient_name: "Jane Smith",
    recipient_email: "jane@example.com",
  }),
});

const { document_id, signing_url } = await response.json();
// document_id: "doc_abc123"
// signing_url: "https://signb.ee/sign/doc_abc123"

No certificate provisioning. No CA enrollment. No key management. The electronic signature is captured when the recipient clicks the signing link, and the audit trail is generated automatically. For a complete walkthrough, see the API documentation.

When you actually need PKI

In my experience building Signbee, fewer than 1% of developers asking about "digital signatures" actually need PKI. Here are the specific cases where you do:

EU government procurementQES required by some member states

EU notarized documentsQES required

Real estate (some EU jurisdictions)AES or QES required

Pharmaceutical submissions21 CFR Part 11 (FDA)

If your use case involves NDAs, employment contracts, SaaS terms, consulting agreements, freelance contracts, or any standard commercial document — electronic signatures are legally sufficient and dramatically simpler to implement. For a comprehensive guide to e-signature legality across jurisdictions, see our ESIGN, eIDAS, and ECA compliance guide.

The eIDAS three-tier model

The EU's eIDAS regulation defines three levels of electronic signature. Understanding these helps you answer the "is it legally binding?" question from your compliance team:

Level	What it means	Example
SES (Simple)	Any electronic indication of intent	Click "I Agree", type name
AES (Advanced)	Uniquely linked to signer + tamper-evident	Signbee, DocuSign (with audit trail)
QES (Qualified)	AES + qualified certificate from TSP	PKI cert from EU Trust Service Provider

Signbee operates at the AES (Advanced Electronic Signature) level — the signer is uniquely identified via email, the signature is linked to the document via SHA-256 hash, and any alteration after signing is detectable. This satisfies the requirements for the vast majority of commercial and employment documents across all EU member states. For a deeper exploration of AES and QES requirements, read our AES/QES technical guide.

Frequently Asked Questions

What's the difference between digital and electronic signatures?

Digital signatures use PKI — a cryptographic certificate from a Certificate Authority that mathematically proves identity and document integrity. Electronic signatures capture intent through any electronic means (click, type, draw). Digital signatures are a subset of electronic signatures. Most e-signature APIs provide electronic signatures.

Are electronic signatures legally binding?

Yes. Under the US ESIGN Act, EU eIDAS, and UK ECA, electronic signatures are legally equivalent to handwritten signatures for most documents. You only need PKI-based digital signatures for specific regulated filings in the EU. See our legal binding guide.

Does Signbee provide digital or electronic signatures?

Electronic signatures with a cryptographic audit trail (SHA-256 hash, IP address, timestamp, user agent). This satisfies AES-level requirements under eIDAS and is fully binding under ESIGN, UETA, and UK ECA.

When do I need PKI-based digital signatures?

Only for specific EU regulated contexts: some government procurement, notarized documents, and certain real estate transactions. For NDAs, employment contracts, SaaS agreements, and standard commercial documents, electronic signatures are sufficient.

Electronic signatures with cryptographic audit trails — 5 free docs/month, $0.50 after.

Read the API docs Security deep dive

Last updated: May 9, 2026 · Michael Beckett is the founder of Signbee and B2bee Ltd.