QES / eIDAS qualified signatures

Status: Partner-gated architecture (stub QTSP provider). Not production-ready without a signed QTSP contract.

Atlas default signing is Simple Electronic Signature (SES) under eIDAS, ESIGN, and UETA. Qualified Electronic Signatures (QES) are opt-in per envelope and require:

1. QES_ENABLED=true on the Atlas deployment
2. Optional QES_ORG_IDS allowlist for pilot customers
3. A commercial contract with an accredited Qualified Trust Service Provider (QTSP)

Atlas acts as the process facilitator. The QTSP issues the qualified certificate and timestamp. Atlas stores ceremony metadata and QTSP attestation references on envelopes.metadata.qes.

API

Create with QES

POST /api/envelope
{
  "document": "...",
  "parties": [...],
  "legal_framework": "eidas_qes"
}

Returns 403 with code: qes_partner_required when QES is not enabled for your organization.

Supported legal_framework values:

Signer ceremony

1. Signer opens the sign link (GET /api/envelope/{id}?t=... returns qes_required: true)
2. Sign page redirects to QTSP via POST /api/envelope/{id}/qes/ceremony?t={token}
3. QTSP completes and calls POST /api/qes/webhook with HMAC signature
4. Signer returns to Atlas to finish any remaining fields (if applicable)

QTSP webhook (partner integration)

POST /api/qes/webhook
X-Atlas-QES-Signature: <hmac-sha256 hex of raw body>

Body (stub provider):

{
  "ceremony_id": "stub_...",
  "envelope_id": "uuid",
  "party_token": "party-token",
  "status": "completed",
  "cert_serial": "QTSP-CERT-SERIAL",
  "timestamp_token_ref": "storage-ref",
  "attestation_ref": "partner-attestation-id"
}

Environment variables

Honest compliance note

Atlas does not issue qualified certificates. Marketing and security copy distinguish SES (default) from QES (partner-gated). Do not claim QES compliance until a QTSP partner is live in production.

Code map