GuidesAPIMCP

Client Credentials E-Sign OAuth

---

title: Client Credentials E-Sign OAuth

description: Integrate Client Credentials E-Sign OAuth through Atlas REST or MCP: PDF or DOCX upload, party binding, and signed PDF delivery.

date: 2026-06-05

updated: 2026-06-05

---

"client credentials esign oauth" sits at the intersection of product shipping and compliance. Atlas keeps the surface small: create, review, send, webhook, download.

Share: One POST to create, one review click, one webhook when signed.

This guide walks through client credentials e-sign oauth on the Atlas REST API. PDF and DOCX are supported on every upload path.

OAuth for MCP clients

Atlas exposes OAuth 2.0 with PKCE and Dynamic Client Registration (RFC 7591) for MCP connectors in Claude Desktop and ChatGPT.

Discovery:

  • https://atlaswork.ai/.well-known/oauth-authorization-server
  • https://atlaswork.ai/.well-known/mcp

REST integrations typically use API keys (Authorization: Bearer). OAuth is the path when a hosted agent needs user consent without you embedding a long-lived key in the client binary.

Password login remains available for dashboard users. SAML SSO is additive for orgs that enable it.

Connect walkthrough: /mcp/connect.

Implementation checklist

  1. Create envelope with idempotency key.
  2. Poll until fields_status is not pending.
  3. Open review_url or send programmatically.
  4. Verify webhooks with HMAC.
  5. Store envelope_id in your database.

FAQ

Does Atlas support PDF and DOCX? Yes on every create path. DOCX converts to PDF at ingest.

How do I authenticate? Authorization: Bearer with an API key from dashboard settings. OAuth is for MCP connectors.

What does send cost? One credit per envelope dispatched. Five free credits on signup.

Can I skip review? REST supports auto_send: true on create or template send after legal approval. Default is review-first.

Where is the full API reference? /dev and /docs/guides/e-signature-api.

Related reading

Next steps

Open /dev for OpenAPI detail. Sign up when you are ready to send.

Testing

Run one loop in staging: create with a two-page PDF, open review, send to a mailbox you control, sign on mobile, confirm webhook delivery. Use is_test: true in metadata when you want internal accounts skipped from Slack alerts.

Security

Store API keys server-side. Rotate keys from dashboard settings if leaked. Verify webhook signatures before updating production database rows.

Observability

Log envelope_id, fields_status, and webhook event types. When send fails, read metadata.send_error on the envelope row via GET /api/envelope/{id}.

Additional context for client credentials e-sign oauth

Atlas charges per send, not per seat. Detection and drafts are free. Multi-party envelopes sign sequentially. Each party receives a tokenized sign URL. Platform mode scopes child tenants with Atlas-Account. OpenAPI lives at /openapi.json. Agents can use MCP at /mcp while your backend uses REST for production traffic.

Send after review

When fields_status is ready, open review_url in a browser or call send from your backend:

curl -X POST https://atlaswork.ai/api/envelope/{id}/send \
  -H "Authorization: Bearer $ATLAS_API_KEY" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: send-{id}-001" \
  -d '{
    "parties": [{"email": "signer@example.com", "name": "Jane Signer", "role": "Customer"}],
    "fields_version": 1
  }'

Send consumes one credit. Drafts are free. Match fields_version from GET /api/envelope/{id} or receive 409 on conflict.

Poll status

Lightweight progress:

curl https://atlaswork.ai/api/envelope/{id}/status \
  -H "Authorization: Bearer $ATLAS_API_KEY"

Returns status, signed_count, total, and next_signer_email. Prefer webhooks in production.

Sequential signing

Multi-party envelopes sign in order. Each sign_url includes ?t=<token>. Fields filter server-side per party. See Sequential signing.

Field detection

Upload triggers async detection on PDF or DOCX. Poll until fields_status is not pending. Manual placement fallback when status is recovered_empty. Guide: Field detection.

Templates

Repeat sends use POST /api/templates/{id}/send. Do not pass template_id to envelope create (returns 400).

Platform mode

Multi-tenant SaaS can provision POST /api/platform/connected-accounts and scope with Atlas-Account: ext_<id>. See /platforms.

Credits and billing

Five free credits on signup. One credit per send. 402 when exhausted. Purchase more in dashboard billing. No seat minimums.

MCP parity

Agents use MCP at /mcp. Production backends typically use REST. Both share envelope rows.

Security checklist

Store API keys server-side only. Verify webhook HMAC before updating database rows. Rotate keys from dashboard settings if leaked.

Troubleshooting

409 on send while fields_status is pending means detection still running. 409 on version mismatch means refresh fields_version. Log envelope_id on every create for support traces.

Webhook events

Set webhook_url at create. Atlas POSTs JSON with X-Atlas-Signature: sha256=.... Verify HMAC with your API key.

EventWhen
envelope.sentEmail dispatched to first signer
envelope.signedAll parties finished
envelope.declinedA signer declined
envelope.voidedSender voided pending envelope
contract.extractedPost-sign structured extract ready

See platform webhooks.

Void and remind

Cancel pending work:

curl -X POST https://atlaswork.ai/api/envelope/{id}/void \
  -H "Authorization: Bearer $ATLAS_API_KEY"

Nudge the next signer:

curl -X POST https://atlaswork.ai/api/envelope/{id}/remind \
  -H "Authorization: Bearer $ATLAS_API_KEY"

Download signed PDF

When status is signed, GET /api/envelope/{id} returns signed download URLs if the artifact is archived.

OpenAPI reference

Interactive docs: /dev. Machine-readable: /openapi.json. Agent instructions: /llms.txt.

Getting started checklist

  1. Sign up and copy an API key.
  2. Run create with Idempotency-Key.
  3. Poll fields_status or watch review UI.
  4. Send after review.
  5. Wire webhooks before production traffic.