# Sign API v3 Changelog

| Version | Date | Details |
|---------|------|---------|
| 3.0.5 | 23.06.2026 | Async-cascade `403` on document delete, `error.sr.last_document_cannot_be_removed`, JWT bearer format |
| 3.0.4 | 10.06.2026 | `feature-not-enabled` (`403`) problem type, documented error keys |
| 3.0.3 | June 2026 | Observer Groups; signature request expiry (`expires_at`), `EXPIRED` status, and error-envelope refinements |
| 3.0.2 | December 2025 | Express QES (xQES) and identification related endpoints |
| 3.0.1 | September 2025 | Groups in Signature Requests |
| 3.0.0 | April 9, 2025 | First version with Multi-Doc support |

---

## 3.0.5 — 23.06.2026

### Documents

- **Async-cascade `403` on delete** — `DELETE /documents/{id}` now documents a `403 Forbidden` response. When a signature request is deleted, its documents are cleaned up asynchronously; during this window the document is still listed by `GET /documents` but delete attempts return `403`. Retry after a few seconds — the document will either have been removed by the cascade or the delete will succeed.
- **`error.sr.last_document_cannot_be_removed`** — Attempting to remove the last document from a signature request returns `400` with this error key. An SR must keep at least one document.

### Authentication

- **JWT bearer format** — The API key security scheme now explicitly declares `bearerFormat: JWT`.

---

## 3.0.4 — 10.06.2026

### Error handling

- **`feature-not-enabled` problem type** — New Problem+JSON type `https://api.skribble.com/problem/feature-not-enabled` and a shared `403` response, returned when an operation depends on a feature that is not enabled for the business. This now gates setting/clearing `expires_at` (`POST /signature-requests`, `DELETE /signature-requests/{SR_ID}/expires-at`), adding **group** observers (`addSignatureObserver`), and the Express QES identification evidence endpoints (status, JSON, files, JWT).
- **Documented error `key` values** — The error envelope's optional `key` now enumerates the known stable, machine-readable keys, grouped by category: authentication (`error.auth.*`), rate limiting (`error.rate_limit.*`), file/attachment (`file.attachment.unsupported`, `file.malware.detected`), and PDF processing (`file.pdf.*`). Prefer matching on `key` over parsing `message`.
- **Refined response coverage** — `getSignatureRequest` now documents `406 Not Acceptable`, and `listSignatureObservers` / `getSignatureObserver` now document `400 Bad Request`.

See [Error Handling](/error-handling) for the full envelope schema.

---

## 3.0.3 — June 2026

### Signature Requests

- **Expiry date (`expires_at`)** — **Early access (opted-in businesses only).** Owner-set expiry date for a signature request, settable on create/update while `status_overall=DRAFT`. When the date passes, the request transitions to `status_overall=EXPIRED`. Must be today or later, at most 6 months in the future, and — if the owning business has a retention policy — at most one day before the retention deletion date.
- **Clear expiry date** — New endpoint `DELETE /signature-requests/{SR_ID}/expires-at` removes the owner-set `expires_at` from a `DRAFT` signature request (returns `400` if not `DRAFT`). The `auto_delete_at` retention date is unaffected.
- **Retention date (`auto_delete_at`)** — New read-only field on signature request responses exposing the server-managed date on which the request and its documents are automatically deleted per the business's retention policy. Together with `expires_at`, this replaces the former free-form `expiration_date` field.

### Status

- **`EXPIRED` status** — New terminal `status_overall` value, set when an owner-defined `expires_at` passes before all signers have signed.

### Error handling

- **Refined error `key`** — The optional `key` on the Problem+JSON error envelope is now present for a broader set of errors that carry a stable code (PDF loading, malware detection, unsupported attachment types, rate-limit, authentication). Prefer matching on `key` over parsing `message`, which is not part of the stable contract.
- **`404` on withdraw/delete** — The delete signature request endpoint (`DELETE /signature-requests/{SR_ID}`) now documents a `404 Not Found` response.

See [Error Handling](/error-handling) for the full envelope schema.