May 26, 2026 · Legal Guide
Are Electronic Signatures Legally Binding? The Cryptographic Proof
Legal frameworks like ESIGN and eIDAS define what makes an electronic signature valid. Under the hood, cryptography ensures it actually holds up in a court of law. Here is the mathematical proof.
Founder, Signbee
TL;DR
Electronic signatures are legally recognized worldwide under the US ESIGN Act, EU eIDAS, and UK ECA. However, legal admissibility is useless without tamper-evident proof. Modern APIs like Signbee use SHA-256 cryptographic hashing and X.509 signing certificates to guarantee document integrity, proving to a court that a document was not modified after signing.
The US Supreme Court and state courts have consistently ruled that electronic records are admissible under the Federal Rules of Evidence (FRE 901/902), provided their authenticity and integrity are verified. (Federal Rules of Evidence).
Key cryptographic statistic
A single character change in a 1,000-page agreement alters the computed SHA-256 hash completely (due to the avalanche effect). This provides absolute, mathematically verifiable proof of document integrity in court.
“A signature may not be denied legal effect or enforceability solely because it is in electronic form. The integrity of the electronic record is paramount in proving its validity.”
— ESIGN Act, 15 U.S.C. § 7001 (2000)
The Law vs. The Technology
Many legal guides treat electronic signatures as a purely regulatory topic. They discuss the US ESIGN Act (2000), the state-level UETA (1999), and the EU's eIDAS Regulation (2014) as though the law itself stops fraud.
The law establishes that electronic signatures are admissible in court. However, the law does not verify whether the document presented in a dispute is the exact same document that was signed. If a contract signer claims, "I signed the agreement, but the interest rate clause was 4% instead of 8% when I signed it," the burden of proof shifts.
Without cryptography, electronic contracts are incredibly easy to alter. An attacker could edit the text in a PDF, update a database record, or swap out contract terms. Cryptographic proof is what makes electronic signatures legally defensible.
The 5 Legal Requirements & Cryptographic Realities
To stand up in court, an electronic signature system must address five specific core legal tenets. The table below details how Signbee maps these legal concepts to cryptographic primitives:
| Legal Requirement | Courtroom Objective | Cryptographic Mechanism |
|---|---|---|
| 1. Intent to Sign | Proving the signer intended to execute this agreement. | Signer interactions (drawn stroke paths, typed inputs) bound to session metadata. |
| 2. Consent | Agreeing to conduct business electronically. | Explicit consent disclosure clickwrap recorded and hashed with the document. |
| 3. Attribution | Linking the signature to a specific identity. | Signer email verification (OTP), IP/OAuth tracing, and X.509 digital certificates. |
| 4. Integrity | Proving zero alterations occurred after signing. | SHA-256 Hashing combined with private key encryption (PKI). |
| 5. Retention | Preserving a readable, portable copy for all parties. | Self-contained PDFs containing the audit log and cryptographic envelope. |
Let's explore how these cryptographic principles function in practice.
1. SHA-256 Hashing: Tamper-Evidence
When a document is finalized or signed via the Signbee API, the document's exact contents (every byte of text, layouts, images, and signer inputs) are put through a SHA-256 (Secure Hash Algorithm) function. This returns a 256-bit hexadecimal string that serves as the document's unique digital fingerprint.
Because hashing is one-way and deterministic, it is mathematically impossible to find another document that produces the same hash. If a single comma is added, or a number in a financial terms clause is changed, the recalculated hash will not match.
import { createHash } from "crypto";
/**
* Computes the SHA-256 hash of a PDF document to verify its integrity.
* @param pdfBuffer The raw binary contents of the signed PDF.
* @param expectedHash The SHA-256 hash recorded in the Signbee audit trail.
*/
function verifyDocumentHash(pdfBuffer: Buffer, expectedHash: string): boolean {
const hash = createHash("sha256").update(pdfBuffer).digest("hex");
if (hash === expectedHash) {
console.log("Document is authentic. Integrity verified.");
return true;
} else {
console.error("ALERT: Document has been tampered with! Hashes do not match.");
console.log(`Computed: ${hash}`);
console.log(`Expected: ${expectedHash}`);
return false;
}
}2. Asymmetric Cryptography & X.509 Certificates
Hashing only proves that a document hasn't changed. To link that document to a signer, we use asymmetric cryptography.
Signbee generates a PKI (Public Key Infrastructure) digital envelope. The document hash is encrypted using a private key held securely in our Hardware Security Module (HSM). This encrypted hash, along with our public key (contained in an X.509 digital certificate), is embedded directly into the signed PDF file.
When a court or software application (like Adobe Acrobat) opens the PDF, it uses the public key to decrypt the signature and obtain the original hash. It then recalculates the document's hash and compares them. If they match, it verifies two things:
- The document has not been altered since the signature was applied.
- The signature was applied by Signbee on behalf of the verified signers.
Mapping Cryptography to eIDAS Signature Tiers
The European Union's eIDAS regulation sets the global standard for tiered electronic signatures. It defines three distinct levels, each requiring progressively stricter cryptographic backing:
| Signature Level | Identity Proofing | Cryptographic Keys |
|---|---|---|
| SES (Simple) | Email verification, SMS OTP, IP trace | Platform-wide certificate (Signbee) |
| AES (Advanced) | Photo ID verification or secure SSO | Unique key linked to signer identity |
| QES (Qualified) | Face-to-face or video verification | Signer-specific key in secure hardware (QSCD) |
For more detail on implementing advanced signature types, see our guide on AES vs QES vs SES tiers.
Integrating Crypto-Enforced Contracts with Signbee
Developers can automate legally binding contracts and immediately retrieve the SHA-256 hash representing the signed artifact. Below is an example of sending a document and capturing its cryptographic properties via the Signbee API:
import fetch from "node-fetch";
interface SignbeeDocumentResponse {
id: string;
status: string;
sha256: string; // The cryptographic hash of the document structure
download_url: string;
}
async function createSecureContract() {
const response = await fetch("https://api.signb.ee/v1/documents", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer sb_live_key_...",
},
body: JSON.stringify({
title: "Mutual NDA (2026)",
markdown: "# Mutual Non-Disclosure Agreement\n\nThis agreement is made between...",
signers: [
{
email: "legal@partnercorp.com",
name: "Sarah Jenkins",
role: "signer"
}
],
require_consent: true, // Captures explicit electronic transaction consent
verification_method: "email_otp" // Two-factor identity attribution
})
});
const document = (await response.json()) as SignbeeDocumentResponse;
console.log(`Document created successfully with ID: ${document.id}`);
console.log(`SHA-256 Hash Generated: ${document.sha256}`);
// Save the hash to your database to match against the signed PDF in the future
return document;
}Why Cryptographic Signatures Beat Paper
In a legal dispute, paper signatures are surprisingly weak evidence. A signature written in blue ink on paper can be photocopied, traced, or cut and pasted onto another sheet. It is difficult to prove when the ink was applied, or whether the middle pages of a contract were swapped out before it was filed.
A cryptographically signed electronic document, however, leaves a digital trail that is virtually impossible to challenge when constructed correctly. If a dispute arises:
- The hash verifies contents: Running a SHA-256 calculation proves the document presented is identical to the one signed.
- The audit trail verifies context: Independent timestamps show exactly when consent was given.
- Identity is attributed: Multi-factor verification (email OTP + IP tracing) proves who accessed the session.
Frequently Asked Questions
Are electronic signatures legally binding under ESIGN and eIDAS?
Yes. Electronic signatures are legally binding in most countries worldwide, including the US (under the ESIGN Act and state UETA laws), the EU (under eIDAS), and the UK (under the Electronic Communications Act 2000). These frameworks establish that a contract cannot be invalidated solely because it is in electronic format.
How does cryptography make electronic signatures tamper-evident?
A cryptographic hash function (specifically SHA-256) calculates a unique fingerprint of the contract's data. When signed, this hash is encrypted using a private key. If the document is modified by even one character, the resulting hash changes completely, breaking the cryptographic match and signaling that the document has been altered.
What is the difference between an electronic signature and a digital signature?
An "electronic signature" is a legal term describing a signer's intent to sign a document (like a typed name or a drawing). A "digital signature" is the technological implementation that uses cryptography (hashing and asymmetric keys) to secure the document and prove the signer's identity. All digital signatures are electronic signatures, but not all electronic signatures are secure digital signatures.
Build cryptographically secure e-signatures — 5 free docs/month, 100 req/min.
Last updated: May 29, 2026 · Michael Beckett is the founder of Signbee and B2bee Ltd.