Product Updates, June 2026: Draft Cleanup, Session Security, and Domain Management

Three changes shipped this month that share a common thread: more operational control over the requests, sessions, and domains your integration manages. None of them is large enough for its own post, but together they cover the kind of housekeeping that matters once you have real volume running through the API. Here's what landed.

Delete unsent signing requests via the API

You can now delete draft signing requests programmatically with DELETE /signing-requests/{id}. This applies only to requests that haven't been sent yet. Once a request is sent, it stays on the cancel path instead, which keeps the audit trail intact for anything a signer may have already seen.

A successful call returns a 200 with the signing_request_id and a deleted_on timestamp. If you try to delete a request that's already been sent, you get a 409 rather than a silent failure, so your code can branch cleanly between delete and cancel. A missing or unknown ID returns 404.

There's also a new signing_request.deleted webhook event that fires whenever a request is deleted through the API. If you mirror signing state into your own database, you can subscribe to it and keep your records in sync without polling.

The obvious use case is cleanup. If your integration creates drafts as part of a build-then-review flow, or generates requests speculatively and discards the ones that don't get used, you no longer have to leave abandoned drafts sitting around. You can tear them down as part of the same flow that created them.

This shipped in API v1.22.0.

Stronger signer session expiration on OTP-protected requests

For requests that have OTP verification enabled, signer sessions now expire on a firm schedule. A session ends after a rolling 4-hour idle window, or 12 hours after the last verification as a hard cap, whichever comes first. When a session expires, the signer re-verifies with a fresh 6-digit code. That code is valid for 10 minutes, allows 5 attempts, and has a 60-second resend cooldown.

This only affects requests where require_otp_verification is on. If you don't use OTP verification, nothing changes for you. For the requests that do use it, no sender action is needed and existing signing links keep working. The new expiration behavior just applies on top.

The reason this matters is shared and public devices. If a signer opens a sensitive document on a machine that isn't theirs and walks away, a session that never expires is a liability. A firm idle window plus a hard cap limits how long that window stays open. If you're handling agreements that carry real confidentiality expectations, this tightens your posture and helps you comply with the access-control expectations that frameworks like HIPAA and SOC 2 care about.

Details are in the May 29 platform updates entry, with the underlying OTP setting documented from API v1.09.00.

Delete a primary or only email sending domain

Deleting a custom email sending domain used to be blocked when it was your primary or only domain. That restriction is gone. DELETE on the company or workspace domain endpoints now works regardless of whether the domain is primary.

After you delete it, outbound email falls back to the company default sender, and then to the platform default if no company sender is set. To move to a new custom domain cleanly, you add the new one, verify it, and set it as primary. You're no longer stuck keeping a stale domain around just because the API wouldn't let you remove the last one.

This is a small change, but it removes a real friction point for anyone migrating domains. Domain migration shouldnt require a support ticket, and now it doesn't.

This shipped in API v1.22.1.

Get started

All three changes are live in the API now. Full request and response details are in the API changelog.

Get started with Firma.dev for free, no credit card required. Pay-as-you-go at $0.029 per envelope (2.9¢ USD), no monthly minimums, no contracts.