Wet, electronic, and digital signatures
People use "e-signature," "digital signature," and plain "signature" loosely, but in this field the words carry distinct meanings. Start with the four building blocks everything else rests on.
Wet signature — A handwritten signature made with pen on paper; the name comes from the era when you waited for the ink to dry. It is still perfectly valid, and in most countries an electronic signature is designed to carry the same legal weight as a wet one for the vast majority of everyday documents.
Electronic signature (e-signature) — A broad legal term for any electronic sound, symbol, or process attached to a record and adopted by a person with the intent to sign. A typed name, a finger-drawn squiggle, or clicking an "I agree" button can all qualify. It is defined by the result — intent plus association with the record — not by any single technology.
Digital signature — A specific cryptographic technique that uses public-key cryptography to bind a signer to a document and to detect later changes. A digital signature is one way to implement an electronic signature, but not every electronic signature is a digital signature. In practice the term often describes the cryptographic seal applied to a finished document rather than the human act of signing.
Hash — A short, fixed-length "fingerprint" of a file produced by a one-way function such as SHA-256. Change a single character in the document and the hash changes completely, which is exactly what lets software prove a signed file has not been altered.
The laws that give e-signatures effect: ESIGN, UETA, eIDAS
A handful of laws are why a click can be as binding as a pen stroke. The notes here are general information rather than legal advice, and the details differ from one country — and sometimes one US state — to the next.
ESIGN Act — The US federal Electronic Signatures in Global and National Commerce Act (2000). It says a signature, contract, or record cannot be denied legal effect simply because it is electronic, for transactions affecting interstate or foreign commerce. It also sets out consumer-disclosure and consent rules.
UETA — The Uniform Electronic Transactions Act (1999), a model law that almost every US state has adopted (New York is the notable exception, using its own statute). It establishes at the state level that electronic records and signatures are valid, and it works hand in hand with ESIGN.
eIDAS — The European Union regulation (No 910/2014) on electronic identification and trust services. It harmonizes the rules across member states and defines the three signature tiers described below. Comparable frameworks exist elsewhere — the UK, Canada, and many Latin American countries each have their own — so always check the law where your document will actually be used.
Consent to do business electronically — Before a business relies on electronic records with a consumer, the consumer generally has to agree to receive them electronically and not withdraw that agreement. This is the "I consent to use electronic records and signatures" step you often see before signing, and under ESIGN it comes with specific disclosure requirements.
eIDAS assurance levels: SES, AES, and QES
Under eIDAS, electronic signatures come in three tiers of increasing assurance. A higher tier means stronger identity proof, not necessarily "more valid" — a simple signature can be perfectly enforceable for the right document.
SES (Simple Electronic Signature) — The baseline tier: any data in electronic form that a signer uses to sign. Typing your name or drawing a signature usually falls here. It carries the lowest built-in assurance but is appropriate for a great many routine agreements.
AES (Advanced Electronic Signature) — A signature that is uniquely linked to the signer, can identify them, is created with data under the signer's sole control, and is connected to the document so that any later change is detectable. It raises the bar on both identity and integrity.
QES (Qualified Electronic Signature) — An advanced signature backed by a qualified certificate and created on a qualified signature-creation device, typically issued by an accredited trust service provider. In the EU a QES is granted the same legal effect as a handwritten signature, which is why it is reserved for higher-stakes use cases.
Proving who signed and that they meant it
A signature is only as good as the evidence behind it. These terms describe how a platform connects a real person to a deliberate act.
Intent to sign — The signer's demonstrated intention to be bound by the document. It is a foundational requirement nearly everywhere; a signature collected without clear intent may not hold up. Deliberate actions — clicking a "Sign" button, drawing a signature — are how that intent is captured.
Attribution — Linking a signature or record to a specific person, that is, showing the act was that person's act. UETA frames it broadly: attribution can be shown "in any manner," including by the security procedures used. The stronger your authentication, the stronger your attribution.
Signer authentication — The methods used to confirm a signer is who they claim to be. These range from proving control of an email inbox, to entering a one-time code, to formal ID verification. Stronger authentication produces more convincing evidence if a signature is ever questioned.
Access code — A shared secret, such as a PIN or passphrase, that the sender delivers to the signer separately (by text or phone, for instance) and that the signer must enter before they can open and sign. It is a lightweight way to add an authentication layer. In tuyaform you can attach an optional access code to each signer on a request.
The evidence trail: audit trail, Certificate of Completion, and the seal
When the signing is done, the proof is what remains. These three artifacts are how a finished signature defends itself later.
Audit trail — A chronological log of every event in the signing process: when the document was sent, opened, viewed, and signed, along with timestamps and IP addresses. It is the behind-the-scenes record you can fall back on to reconstruct exactly what happened.
Certificate of Completion — A summary document generated once everyone has finished signing. It gathers the audit trail — signer names and emails, timestamps, and any authentication events — into a single portable record you can keep or hand to a counterparty. tuyaform produces one automatically for every completed request.
Tamper-evident seal — A cryptographic seal applied to the finished document, usually a digital signature over the file's hash. If anyone edits so much as a comma afterward, verification fails and the change is exposed. That is what "tamper-evident" means: alterations are detectable, even when they cannot be physically prevented.
How multi-signer documents are sequenced
When more than one person signs, the order matters — both for logistics and for who sees what, when.
Signing order — The sequence in which a document's signers are asked to sign. Setting an order lets you, for example, have an employee sign before a manager countersigns.
Sequential vs parallel signing — With sequential signing, people sign one at a time in a defined order, and each signer is invited only after the previous one finishes. With parallel signing, everyone is invited at once and can sign in any order, which is faster when there is no dependency between signers. tuyaform supports both, so you can match the flow to the document.