How does SHA-256 protect a signed document?

SHA-256 generates a unique 256-bit hash of the document's content at the moment of signing. This hash acts as a digital fingerprint — if even a single character of the document is changed after signing, the hash will be completely different. During verification, you re-hash the document and compare it to the stored hash. If they match, the document is provably unchanged. SHA-256 is a one-way function, meaning you cannot reverse-engineer the document from the hash, and finding two documents with the same hash (a collision) is computationally infeasible with current technology.

What information is included in a Signbee certificate of completion?

Signbee's certificate of completion includes: document ID, document title, SHA-256 hash of the original document, SHA-256 hash of the signed document, signer's full name, signer's email, signer's IP address, signer's user agent string, timestamp of document creation (ISO 8601), timestamp of document viewing, timestamp of signature, and a unique certificate ID. This certificate is appended as the final page of the signed PDF and is also available via the API.

Would an e-signature audit trail hold up in court?

Yes, in most jurisdictions. The ESIGN Act (US), eIDAS Regulation (EU), and Electronic Communications Act 2000 (UK) all recognise electronic signatures as legally equivalent to handwritten signatures when accompanied by proper audit trails. The key requirements are: intent to sign (the signer took a deliberate action), consent to do business electronically, attribution (the audit trail links the signature to a specific person), and record retention (the signed document and audit trail are preserved). SHA-256 hash verification provides non-repudiation — the signer cannot claim the document was altered after signing.

May 20, 2026 · Technical Deep Dive

What's Inside an E-Signature Audit Trail?

A signed PDF is worthless without proof of who signed it, when, and that nothing changed afterwards. Here's exactly what's inside Signbee's SHA-256 certificate of completion — and how to verify it programmatically.

Michael Beckett

Founder, Signbee

TL;DR

An audit trail is the legal backbone of every e-signature. It captures the SHA-256 hash of the document at signing time, the signer's IP address, browser fingerprint, and timestamps — creating a tamper-proof chain of evidence. If the document is altered by even one character, the hash won't match. Here's how it works under the hood and how to verify it in code.

Why the audit trail matters more than the signature

Most developers focus on the signature itself — the drawn squiggle, the typed name, the checkbox. But in a legal dispute, the signature is the least important part. What matters is the evidence trail proving three things:

1. AttributionWho signed? Linked to a specific email, IP address, and browser session.

2. IntentDid they mean to sign? Evidence of a deliberate action (clicking "Sign", drawing a signature).

3. IntegrityWas the document altered after signing? SHA-256 hash comparison proves it wasn't.

The ESIGN Act, eIDAS, and ECA 2000 all require these elements for an electronic signature to be legally valid. Without a proper audit trail, your signed document is just a PDF with a picture on it.

What Signbee captures during the signing process

Every document sent through the Signbee API generates a timeline of events with cryptographic proof at each step:

Event	Data captured	Purpose
Document created	Timestamp, sender IP, document hash	Baseline integrity
Email delivered	Timestamp, recipient email, delivery status	Proof of delivery
Document viewed	Timestamp, signer IP, user agent	Proof of access
Signature applied	Timestamp, signer IP, user agent, signature image	Proof of intent
Document completed	Final document hash, certificate generated	Tamper-proof seal

How SHA-256 hashing works (non-cryptographer version)

SHA-256 takes any input — a 1-page NDA or a 500-page merger agreement — and produces a fixed 64-character hexadecimal string. This hash is a one-way function: you can always compute the hash from the document, but you can never reconstruct the document from the hash.

The critical property: even a single changed character produces a completely different hash. Not a slightly different hash. A completely different one.

SHA-256 in action — demonstrating tamper detection

import { createHash } from "crypto";

// Original document content
const original = "# NDA\nThis agreement is between Party A and Party B.";
const originalHash = createHash("sha256").update(original).digest("hex");
console.log(originalHash);
// → "a3f2b8c1d4e5f67890abcdef1234567890abcdef1234567890abcdef12345678"

// Tampered document — one character changed ("A" → "C")
const tampered = "# NDA\nThis agreement is between Party C and Party B.";
const tamperedHash = createHash("sha256").update(tampered).digest("hex");
console.log(tamperedHash);
// → "7e9f1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef123456"

// Completely different hash — tamper detected
console.log(originalHash === tamperedHash); // → false

When a document is signed through Signbee, we compute the SHA-256 hash of the document at the exact moment the signature is applied. This hash is stored in our database, embedded in the certificate of completion, and included in the webhook event payload. If you ever need to prove the document hasn't been tampered with, you re-hash it and compare.

The certificate of completion

After a document is signed, Signbee generates a certificate of completion — a separate page appended to the end of the signed PDF. This certificate contains the full audit trail in human-readable format:

Document IDdoc_a1b2c3d4e5f6

Document titleNon-Disclosure Agreement

Document hash (pre-sign)a3f2b8c1d4e5...5678

Document hash (post-sign)9c8d7e6f5a4b...1234

Signer nameJane Smith

Signer emailjane@example.com

Signer IP203.0.113.42

Signed at2026-05-20T14:32:18Z

Certificate IDcert_x9y8z7w6

Verifying document integrity via the API

You don't need to manually compute hashes. The Signbee API returns the audit trail data for any completed document:

Fetching the audit trail via API

const response = await fetch("https://signb.ee/api/v1/send", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "Authorization": "Bearer sb_live_your_api_key",
  },
  body: JSON.stringify({
    markdown: "# Non-Disclosure Agreement\n\nBetween Party A and Party B...",
    recipient_name: "Jane Smith",
    recipient_email: "jane@example.com",
  }),
});

const { document_id, signing_url } = await response.json();

// Later, after signing — check status and get audit trail
const doc = await fetch(
  `https://signb.ee/api/v1/documents/${document_id}`,
  { headers: { "Authorization": "Bearer sb_live_your_api_key" } }
);

const {
  status,         // "completed"
  document_hash,  // SHA-256 of original document
  signed_hash,    // SHA-256 of signed document
  signed_at,      // ISO 8601 timestamp
  signer_ip,      // IP address at time of signing
  certificate_id, // Unique certificate reference
} = await doc.json();

How this compares to DocuSign's audit trail

DocuSign provides a "Certificate of Completion" with similar information — timestamps, IP addresses, and signer details. However, there are key differences in how developers interact with it:

Feature	DocuSign	Signbee
Hash algorithm	Not publicly documented	SHA-256 (explicit)
Hash in API response	Requires separate call	Included in document status
Certificate format	Appended PDF page	Appended PDF page
Webhook with hash	Via DocuSign Connect	Standard webhook payload
Independent verification	Download + re-hash manually	Compare hashes via API

Real-world scenario: disputing a signed contract

Here's a concrete example. A freelancer sends a retainer agreement to a client through the Signbee API. Three months later, the client claims "the agreement said $3,000/month, not $5,000/month."

The freelancer retrieves the signed document and the certificate of completion. The SHA-256 hash on the certificate matches the hash of the document in their records. The hash proves the document has not been altered since the moment the client signed it. The audit trail shows the client's IP address, the timestamp, and the browser they used.

This is non-repudiation in practice. The client cannot credibly claim they signed a different document, because any alteration — even changing "$5,000" to "$3,000" — would produce a completely different SHA-256 hash.

Building your own verification layer

For regulated industries (healthcare/HIPAA, fintech, real estate), you may want to store document hashes independently in your own database as a secondary verification source. This is straightforward with Signbee's webhook events — listen for the document.completed event, extract the hash, and store it alongside your internal records.

For more on how Signbee's signing certificates work at a low level, see our technical guide on how SHA-256 signing certificates work.

Frequently Asked Questions

What is an e-signature audit trail?

A tamper-proof record of every event in the signing process — creation, delivery, viewing, and signing — with timestamps, IP addresses, and SHA-256 document hashes. It's the legal evidence that makes the signature enforceable.

How does SHA-256 protect signed documents?

SHA-256 creates a unique 64-character fingerprint of the document at signing time. Any change to the document — even one character — produces a completely different hash. Comparing hashes proves the document hasn't been tampered with.

Would this hold up in court?

Yes. The ESIGN Act (US), eIDAS (EU), and ECA 2000 (UK) all recognise electronic signatures with proper audit trails. SHA-256 hash verification provides non-repudiation — the signer cannot credibly claim the document was altered. See our legal compliance guide.

Every document gets a SHA-256 certificate — 5 free docs/month.

Read the API docs Security deep-dive

Last updated: May 20, 2026 · Michael Beckett is the founder of Signbee and B2bee Ltd.