Create and manage Dropbox Sign API apps
Configure Dropbox Sign API apps to support embedded signing, OAuth, and application-specific settings.
7 Leitura de minutos
Your integration can already communicate with Dropbox Sign using API keys. But some workflows, such as embedded signing or OAuth, require more than API authentication alone.
To support these experiences, you'll need an API app.
In this module, you'll learn when API apps are required, how to configure them, and how they support advanced integrations.
What's an API app?
An API app acts as the identity of your Dropbox Sign integration.
While API keys authenticate requests, API apps enable specific integration capabilities and allow you to configure settings associated with your application.
API apps are commonly used when building embedded experiences or implementing OAuth-based authentication workflows.
Think of an API app as the configuration layer that connects your application to Dropbox Sign.
When is an API app required?
Not every integration requires an API app.
However, API apps are required for several advanced integration scenarios.
API apps are required for:
Embedded signing
Embedded requesting
Embedded templates
OAuth workflows
Examples
You need an API app if:
Users sign documents inside your application.
Users prepare and send signature requests from your application.
Users create or manage templates without leaving your application.
Your application authenticates through Dropbox Sign OAuth.
Note
Many standard, non-embedded integrations can use API keys alone.
API apps become necessary when implementing embedded or OAuth-based workflows.
OAuth authentication
Not every integration uses API keys alone. Some applications need permission to act on behalf of individual Dropbox Sign users.
In these cases, Dropbox Sign uses OAuth authentication.
Instead of authenticating with an API key, the application receives an access token after the user authorizes access to their Dropbox Sign account. The application then uses that access token when making API requests on the user's behalf.
The actions the application can perform are controlled by the access scopes configured for the API app.
Creating an API app
API apps can be created from the API section of your Dropbox Sign account.
When creating an API app, you'll configure several key settings.
App name
Provide a clear and descriptive name that helps identify the purpose of the integration.
Examples:
Employee onboarding portal
Contract management system
Customer signature platform
Note
Choose a descriptive name that clearly identifies the purpose of your integration. As the number of API apps grows, meaningful names make them easier to manage, troubleshoot, and hand off to other team members.
Domain
Specify the domain where the application will operate.
This helps Dropbox Sign verify and associate requests with the correct application.
Note
When you're ready to move from testing to production, verify that your registered domain matches your application's deployment. Domain mismatches are a common cause of production issues.
Callback URL
The callback URL determines where Dropbox Sign sends event notifications for the application.
Examples include:
Signature completed
Signature declined
Request viewed
You'll learn more about callbacks in the next module.
Managing multiple API apps
Many organizations maintain multiple API apps to support different environments or business needs.
Common examples
Production app
Used by live customers and production workflows.
Sandbox app
Used for testing and development activities.
Department-specific apps
Large organizations may maintain separate apps for:
Human resources
Sales operations
Customer success
Internal platforms
Using separate apps can simplify administration, troubleshooting, and governance.
Understanding app ownership
Technical teams often focus on implementation but overlook long-term ownership. Every API app should have a clearly defined owner.
Questions to consider include:
Who created the app?
Who maintains it?
Who receives callback notifications?
Who manages updates and approvals?
Why does ownership matter?
Without clear ownership:
Issues may go unresolved.
Security reviews may be delayed.
Callback configurations may become outdated.
Integrations may be difficult to support.
Best Practice
Document ownership and maintenance responsibilities for every API app in your environment.
What happens if the owner leaves?
Ownership planning should be part of every integration strategy.
Before removing a user from Dropbox Sign, verify whether they own:
API apps
API keys
Callback configurations
If ownership isn't transferred appropriately, future maintenance and troubleshooting may become more difficult.
Operational tip
Review API app ownership regularly as part of your user offboarding process.
Common mistake
It's easy to confuse API keys, API apps, and OAuth because they're often used together. However, each serves a different purpose.
API keys authenticate API requests and identify your integration.
API apps enable embedded experiences and OAuth workflows while defining application-specific settings.
OAuth allows users to authorize your application to access Dropbox Sign on their behalf.
Tip
A simple way to remember the difference: if your users stay within your application to complete Dropbox Sign actions, you'll likely need an API app. If they interact with Dropbox Sign directly, an API key alone is often enough.
You've learned when API apps are required and how they support advanced integrations.