API reference

All operations are functions on the atick module. Load it with CommonJS:

require.js

const atick = require("atick");

Every function takes raw Node Buffer values for PDFs and certificates, and an options JSON string where applicable. On any failure a function throws a normal Error; the message is available from err.message. Full TypeScript types ship inindex.d.ts.

types.ts

import * as atick from "atick";

interface Prepared {
  prepared: Buffer;
  bytesToSign: Buffer;
}

ATick runs server-side only. There is no browser build and no command-line interface.

Signing

signpfx-sig.js

atick.signPfx(pdf, pfx, optionsJson) // -> Buffer

Sign pdf with a .pfx/.p12/.pem credential (the format is auto-detected). For a PEM file pass the password as the empty string"" inside the options. Returns the signed PDF bytes.

pdf — the PDF to sign (Buffer).
pfx — the credential bytes (.pfx, .p12, or .pem) as a Buffer.
optionsJson — the options JSON string (see the Options table). Pass the credential password as the password key; use "" for PEM.
returns — the signed PDF as a Buffer.

signpfx.js

const fs = require("fs");
const atick = require("atick");

const pdf = fs.readFileSync("in.pdf");
const pfx = fs.readFileSync("signer.pfx");

const options = JSON.stringify({
  password: "secret",
  cn: "Axonate Tech",
  reason: "Approval",
  page: 1,
  rect: [40, 40, 240, 140],
  pades: true,
  timestamp: true,
  tsa_url: "http://timestamp.example/tsa",
});

try {
  const signed = atick.signPfx(pdf, pfx, options);
  fs.writeFileSync("signed.pdf", signed);
} catch (err) {
  console.error("signing failed: " + err.message);
}

signfield-sig.js

atick.signField(pdf, pfx, optionsJson) // -> Buffer

Sign an existing empty signature field. Use the field_name option to select the field. Returns the signed PDF bytes.

pdf — a PDF containing an empty signature field (see prepareFields).
pfx — the credential bytes (Buffer).
optionsJson — must include field_name; same credential and signing keys as signPfx.
returns — the signed PDF as a Buffer.

Deferred / remote-key signing

These three functions cover the deferred (eSign / HSM / remote-key) flow: prepare the PDF, sign the returned bytes elsewhere, then embed the resulting CMS.

prepare-sig.js

atick.prepare(pdf, optionsJson) // -> { prepared: Buffer, bytesToSign: Buffer }

Step 1 of deferred signing. Adds an empty signature field, the appearance, and the signature container, then returns the exact bytes that must be signed. Returns an object with twoBuffer properties:

prepared — the prepared PDF (Buffer).
bytesToSign — the bytes to sign (Buffer); hash and sign these with the remote key.
pdf — the PDF to prepare (Buffer).
optionsJson — appearance and signing options (see the Options table).
returns — { prepared, bytesToSign } (the Prepared interface in TypeScript).

cmspfx-sig.js

atick.cmsPfx(data, pfx, optionsJson) // -> Buffer

Produce a detached PKCS#7 / CMS signature over data using a PFX. Useful for producing the CMS that embed expects when the signing credential is a local PFX.

data — the bytes to sign (typically bytesToSign from prepare) as a Buffer.
pfx — the credential bytes (Buffer).
optionsJson — password, hash_algo, pades, timestamp, tsa_url, tsa_auth, ltv, revocation.
returns — the detached CMS as a Buffer.

Set revocation: true to embed RevocationInfoArchival (the signer's CRL and OCSP responses) inside the CMS, so the signature carries its own revocation proof. Pair it withaddDocTimestamp afterwards to add the DSS for the timestamp chain (PAdES-B-LTA).

cmspfx-revocation.js

const cms = atick.cmsPfx(bytesToSign, pfx, JSON.stringify({
  password: "secret",
  pades: true,
  revocation: true,   // embed RevocationInfoArchival in the CMS
}));
const signed = atick.embed(prepared, cms);

// add the DSS for the timestamp chain
const lta = atick.addDocTimestamp(signed, JSON.stringify({ tsa_url: "http://timestamp.example/tsa" }));

embed-sig.js

atick.embed(prepared, cms) // -> Buffer

Embed a detached CMS / PKCS#7 into a prepared PDF. Returns the signed PDF bytes.

prepared — the prepared PDF (prepared from prepare) as a Buffer.
cms — the detached CMS (from cmsPfx, an eSign reply, or an HSM) as a Buffer.
returns — the signed PDF as a Buffer.

deferred.js

const { prepared, bytesToSign } = atick.prepare(pdf, options);

const cms = atick.cmsPfx(bytesToSign, pfx, JSON.stringify({ password: "secret" }));
const signed = atick.embed(prepared, cms);

Field templates

preparefields-sig.js

atick.prepareFields(pdf, optionsJson) // -> Buffer

Create an empty signature field as a template: the appearance is drawn, but the signature is left empty so it can be signed later with signField. Returns the PDF bytes.

pdf — the PDF to add the field to (Buffer).
optionsJson — appearance options plus field_name, page, rect / placements.
returns — the PDF with an empty field as a Buffer.

Long-term validation & timestamps

adddoctimestamp-sig.js

atick.addDocTimestamp(pdf, optionsJson) // -> Buffer

Add an archive DocTimeStamp (and the DSS validation material) to an already-signed PDF, producing a PAdES-B-LTA document. Returns the timestamped PDF bytes.

pdf — an already-signed PDF (Buffer).
optionsJson — tsa_url, tsa_auth, ltv, contents_size.
returns — the timestamped PDF as a Buffer.

Documents & utilities

setmetadata-sig.js

atick.setMetadata(pdf, optionsJson) // -> Buffer

Set the document information (/Info) metadata on a PDF. Returns the updated PDF bytes.

pdf — the PDF to update (Buffer).
optionsJson — title, author, subject, keywords, application, created, modified (see the Metadata options table).
returns — the updated PDF as a Buffer.

decrypt-sig.js

atick.decrypt(pdf, password) // -> Buffer

Decrypt a password-protected PDF. Returns the plaintext PDF bytes.

pdf — the encrypted PDF (Buffer).
password — the open (user) password as a string.
returns — the decrypted PDF as a Buffer.

setfastsigning-sig.js

atick.setFastSigning(on) // -> void

Enable or disable the in-memory revocation cache (used to speed up repeated CRL/OCSP lookups). Passing false disables it.

on — true to enable the cache, false to disable it (boolean).

version-sig.js

atick.version() // -> string

Return the engine version string.

returns — the version as a string.

version.js

console.log("ATick " + atick.version());

Options JSON

The optionsJson argument is a JSON object string, built withJSON.stringify({ ... }). All keys are optional unless a function note says otherwise. Keys are grouped below by purpose.

Identity & appearance text

Key	Type	Meaning
`cn`	string	Common name shown in the appearance.
`org`	string	Organisation line.
`ou`	string	Organisational unit line.
`location`	string	Signing location, also written to the signature.
`reason`	string	Reason for signing, also written to the signature.
`text`	string	Free text shown in the appearance.
`date`	string	Date string shown in the appearance.
`dn`	string	Full distinguished name line.
`body`	string	Custom-text-only appearance body (`\n` = new line, `x` = bold).
`heading`	string	Heading line above the signature details.

Verified mark

Key	Type	Meaning
`show_mark`	bool	Draw the verified mark.
`green_tick`	bool	Use the "?" verified mark.
`always_check`	bool	Always draw the verified/checked mark.
`mark_color`	string hex / name / `[r,g,b]`	Colour of the mark.
`mark_gradient`	array of colours	Gradient fill for the mark.
`mark_scale`	number	Scale factor for the mark size.
`mark_dx`	number	Horizontal nudge of the mark, in PDF points.
`mark_dy`	number	Vertical nudge of the mark, in PDF points.
`top_reserve`	number (0–1)	Fraction of the box height reserved at the top for the logo / mark (e.g. `0.32`).

Layout & styling

Key	Type	Meaning
`text_color`	string hex / name / `[r,g,b]`	Text colour.
`bg_color`	string hex / name / `[r,g,b]`	Background colour of the appearance.
`border`	bool	Draw a border around the appearance.
`border_color`	string hex / name / `[r,g,b]`	Border colour (used with `border: true`).
`border_width`	number	Border line width in PDF points (e.g. `1.0`).
`text_dx`	number	Horizontal nudge of the appearance text, in PDF points.
`text_top`	number	Top offset of the appearance text, in PDF points.
`font_size`	number	Font size of the appearance text.
`width`	number	Appearance width.
`height`	number	Appearance height.

Placement

Key	Type	Meaning
`page`	int	Page number for the signature (1-based).
`rect`	`[x1, y1, x2, y2]`	Rectangle of the appearance on `page`.
`placements`	`[[page, [x1, y1, x2, y2]], ...]`	Multiple appearance placements (one signature, several pages).
`mode`	`"single"` \| `"shared"`	Whether placements share one signature (`"single"`) or are separate.
`field_name`	string	Name of the signature field.

Cryptography & PAdES

Key	Type	Meaning
`pades`	bool	Produce a PAdES signature.
`hash_algo`	`"sha256"` \| `"sha384"` \| `"sha512"`	Digest algorithm.
`timestamp`	bool	Add an RFC-3161 signature timestamp.
`tsa_url`	string	Timestamp authority URL.
`tsa_auth`	`["user", "pass"]`	Basic-auth credentials for the TSA.
`ltv`	bool	Add long-term validation material (DSS).
`revocation`	bool	On `cmsPfx`, embed RevocationInfoArchival (CRL/OCSP) inside the CMS itself.
`lta`	bool	Add an archive DocTimeStamp (PAdES-B-LTA).
`contents_size`	int	Size of the signature `/Contents` placeholder (default `16384`).

Certification & locking

Key	Type	Meaning
`certify`	int	Certification level: `1` = no changes, `2` = form filling, `3` = form filling + annotations.
`lock_fields`	`["*"]` or names	Fields to lock after signing (`["*"]` = all).

Verification

Key	Type	Meaning
`verify`	bool	Verify the certificate before signing.
`verify_expiry`	bool	Check certificate validity dates.
`verify_crl`	bool	Check the CRL.
`verify_ocsp`	bool	Check OCSP.
`trusted_roots`	array of SHA-1 hex strings	Extra pinned roots; the chain (built from AIA) must reach one of them.

The four verify* flags and trusted_roots run beforeany output is produced; a failed check refuses to sign and throws an Error.

presign-checks.js

const out = atick.signPfx(pdf, pfx, JSON.stringify({
  password: "secret",
  verify: true,            // umbrella: not expired + CRL + OCSP
  verify_expiry: true,     // or enable the individual checks
  verify_crl: true,
  verify_ocsp: true,
  trusted_roots: ["<root SHA-1>", "<another root SHA-1>"],
}));

Document security

Key	Type	Meaning
`open_password`	string	User/open password for the output PDF.
`encrypt_password`	string	Password used to encrypt the output PDF.
`owner_password`	string	Owner/permissions password for the output PDF.

Metadata options

These keys apply to setMetadata.

Key	Type	Meaning
`title`	string	Document title.
`author`	string	Document author.
`subject`	string	Document subject.
`keywords`	string	Document keywords.
`application`	string	Creating/producing application.
`created`	string	Creation date.
`modified`	string	Modification date.

Errors

Every atick function throws a normal Error on failure — bad password, malformed PDF, network error, invalid options, and so on. The error text is available fromerr.message.

errors.js

try {
  const signed = atick.signPfx(pdf, pfx, options);
} catch (err) {
  console.error("ATick error: " + err.message);
}