Subscribe to the signature_request_all_signed Dropbox Sign event callback and verify the event authenticity using the HMAC-SHA256 signature over the raw callback body with the API key as the signing secret
On receipt of the all_signed event, extract the signature_request_id from the callback payload
Call GET /signature_request/{signature_request_id} to retrieve full request metadata including signer timestamps, IP addresses, and user-agent strings recorded at the time of signing
Call GET /signature_request/files/{signature_request_id}?get_url=1&file_type=pdf to obtain a time-limited download URL for the final signed PDF, then download and archive it
Call GET /signature_request/files/{signature_request_id} with the file_type parameter for the audit trail (if separately available) or parse the embedded audit trail from the final PDF to extract the signing evidence record
Known gotchas
Dropbox Sign embeds the audit trail directly in the final signed PDF rather than providing it as a separate download endpoint; the audit trail is a final page appended to the document and is not available as a standalone structured data object via the API
The per-file download URL returned by the files endpoint with get_url=1 is time-limited (typically expiring within a short window); the download must be initiated immediately after the URL is retrieved and cannot be stored as a durable reference
Dropbox Sign does not expose individual per-signer signing certificate files; if your compliance requirement mandates individual signer evidence packages, you must parse the combined PDF audit trail page to extract per-signer event rows
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp