4.8-star rating on g2.com
Email Access Isn't Identity. OTP Closes the Gap.
A signing link sent to an email is reasonably secure. But it's not an identity check. Forwarded links, shared inboxes, and compromised email accounts are all real scenarios where the wrong person ends up accessing a sensitive document.
Signer Email OTP closes that gap: before a signer can view or sign, they must enter a 6-digit code sent to their email address. The document doesn't load until they prove they have access to the inbox it was sent to.
How It Works for Signers
The Signer Experience
The experience is designed to be fast and unambiguous. When OTP is enabled, a signer who opens their signing link sees a verification screen instead of the document. Their email address is masked for privacy (shown as j**e@example.com), and a code is sent to that address. The code is 6 digits, valid for 10 minutes, and auto-submits the moment the last digit is entered. If they need another code, a resend button activates after a 60-second cooldown.
Security Details
The security details are worth noting: codes are cryptographically random, max 5 attempts are allowed per code before it's invalidated, and once verified, a 4-hour session token means the signer doesn't re-verify if they return to the same document on the same device within that window.
The Cascading Configuration Model
The most important concept for developers is how require_otp_verification behaves across configuration levels. It's a tri-state field: true, false, or null. Null means inherit from the level above.
The override chain runs in this order, from highest to lowest priority:
Signing request
Overrides everything below it
Workspace settings
Overrides company default
Company settings
The baseline default for all workspaces
This gives you precise control. Enable OTP at the workspace level and every signing request in that workspace requires verification by default. Override it to false on specific low-sensitivity requests where the friction isn't worth it. Or set it to true at the company level and selectively disable it per workspace for contexts where it doesn't apply.
Setting OTP at the Workspace Level
Every signing request in this workspace now requires OTP by default, unless overridden at the signing request level.
Overriding Per Signing Request
This specific request skips OTP regardless of the workspace setting. Useful for internal documents or low-risk workflows that don't need the extra step.
Where it was Exposed
Level
Field
Behavior
Company
require_otp_verification
Sets the default for all workspaces
Workspace Settings
require_otp_verification
Overrides company default; null inherits from company
Signing Request Settings
require_otp_verification
Highest priority override; null inherits from workspace
Use Cases
Healthcare consent forms
Patient identity matters before a medical consent document loads. For workflows designed to support HIPAA requirements, OTP verification adds a meaningful layer of access control without requiring a full KYC integration. Relevant for platforms built for FDA 21 CFR Part 11 compliance as well.
Financial agreements
Investment mandates, loan applications, and advisory agreements involve sensitive information. Requiring verified inbox access before the document loads reduces the risk of unauthorized access and provides an additional record of signer verification.
HR onboarding in regulated sectors
Employment contracts and compliance acknowledgments in healthcare, financial services, and government contracting benefit from verified signer identity, particularly for remote onboarding where the employer can't confirm identity in person.
OTP verification shipped in v1.9.0 as an additive, non-breaking change. If you're already integrated, it's available to enable today without any changes to your existing signing request logic.
