Release 25.R3: May 2025

Changed Behavior

Here are some of the changes in behavior that you might want to be aware of.

HTML Code

For security reasons we will no longer allow HTML code to be used in any OneSpan Sign input field. (refs PB-114029)

For transaction and document fields this includes the following:

• Transaction and Template Names

• Transaction and Template Descriptions

• Document Names

• Signatures, Field Names, and Tooltips

For Admin page fields this includes:

• Users

• Roles

• Groups

• Custom Fields

• Notarization Preferences

• Notary Commissions

In addition to the above, HTML code will no longer be allowed in:

• The Account Registration page

• The Fast Track page

• When using Bulk Send csv

Improved API Key Generation

To increase the security of our API keys, we have implemented a new generation algorithm that will generate longer keys. This change means that all existing API keys have been converted to follow the new format. Additionally, any new keys that are created with the creation of a new user will also follow this new format.

Note that any integrations that were implemented using the older keys will continue to work. These keys will remain functional until March 1, 2026. At this time the shorter API keys will no longer work.

What do I need to do?

To prepare for this change OneSpan recommends that you do the following:

1. Validate that your systems and applications can accommodate the new longer API key format. This may involve changes to your codebase and configuration settings.

2. Plan your migration to the new longer API key format as soon as possible. While these keys will be generated for you, any integrations that you have made using the shorter key format will have to be manually updated.

3. Migrate your Sandbox environments to the new API key format. To ensure a smooth transition we strongly recommend testing the new longer API keys in our Sandbox environment before the Production rollout.

4. Once you have successfully migrated your Sandbox environments, migrate your Production environments to the new API key format.

Should you need any assistance during this transition phase, please contact our Support Team .

Additional Changes in Behavior

• We have introduced additional validation for callback URLs to improve security and prevent misconfigurations. This includes stricter checks for IP addresses (IPv4 & IPv6), domain names, and URL schemes. (refs PB-82547)

• We no longer allow you to send out a transaction where a recipient has both Accept Only and Signature Fields assigned to them on the same document. Previously, sending out a transaction like this would result in an error appearing when the recipient attempted to sign their documents. Recipients can still have Accept Only and Signature Fields assigned to them provided these field types are on separate documents in the transaction. (refs PB-112293)

• Our out-of-the-box signer email templates now include additional warnings that remind signers not to forward or sign any unexpected signing requests. (refs PB-115478)

Upcoming Changes

Here are some of the new features, changes, and enhancements that we will be introducing in an upcoming release.

Deprecation of Legacy TLS Ciphers

As part of our ongoing commitment to security we'll be deprecating some legacy TLS ciphers.

As TLS ciphers can be set by hostname, we have modified the cipher deprecation plan to allow all customers additional time to test these changes in their Sandbox environments. As such, we will be phasing out the following ciphers on the following dates:

What do I need to do?

We recommend that you start working with your IT team immediately to ensure that your integration framework does not use any of the above-mentioned cipher suites. Once completed, please test your OneSpan Sign Sandbox environment to ensure that all TLS communications are working properly. This is an important step that ensures that your organization does not encounter service disruptions.

For more information, see Supported TLS Versions.

Changes to the email.delegation.activate template

In an upcoming release, the out of the box email.delegation.activate email template will be updated to include the delegation start date.(refs PB-116151)

The string Your role as a delegate will expire on: $EXPIRY_DATE;. will change to Your role as a delegate will span from $DELEGATION_START_DATE; to $EXPIRY_DATE;.

No changes will be made to the email.delegation.activate email at the account level.

What's New

Here are some of the new features and enhancements we have made for this release.

Ad Hoc Group General Availability:

We are pleased to announce that our Ad Hoc Groups are now in GA!

In addition to all the great features introduced in our BETA versions of this feature, this new release now includes the following enhancements: (refs PB-113276)

• You can now add "Myself" as a member of an Ad Hoc Group

• Using the Sender UI, you can now add the same recipient as both an individual signer, and as an ad hoc group member.

• Duplicate signers can be used

• Attachments can be added

• The Electronic Disclosures and Signatures Consent document will now be displayed for all members of the Ad Hoc Group

• The Mobile Capture signature type is available

• Document and Text Tag extraction are now supported

• Saving and applying a layout with ad hoc groups

• Reporting

New introductory walk through!

Our enhanced product walkthrough for new users is now available. With this improved walkthrough new users can follow a step-by-step guide to creating, preparing, and sending their first transaction. (refs PB-111168)

Rate limiting

We have implemented a rate limiting functionality that will limit the number of notifications a single user will get. This will help prevent signers from being spammed with unnecessary notifications. The current rate limit is 20 notifications within a 2-hour span. Should you need this to be changed, contact our Support Team .

Workflow Integrations

We have made more enhancements to the Workday Business Process framework that we introduced in Release 25.R.2. (refs DAG-172)

OneSpan Sign for SharePoint Enhancements

• Users can now add an authentication method (SMS, Q&A) for contacts.

• You can now define a signing order for your contacts. Note that the signing order range is from 0 to 99, and that we recommend that you set a default signing order. If more than one contact has the same signing order assigned to them, then parallel signing is enforced.

Bug Fixes

The following issues were resolved in this release:

Integrators

• Attempting to use the API call /api/account/usage would sometimes result in a 500 error (timed out). This error no longer appears. (refs PB-108395)

Senders

• When editing and resending a transaction the transaction’s Expiry Date was not always accurate. This has been fixed. (refs PB-114251)

• In Australian environments the Expiry Date on certain transactions was also not always accurate. This occurred during the switch to Daylight Savings time and was caused by a miscalculation in hours (which would be off by one or two). This has been fixed and the correct Expiry Date now appears. (refs PB-114354)

• When manually entering an Expiry Date for a transaction using the Sender UI the transaction would expire at 4:00 AM GMT on the date the transaction was scheduled to expire, instead of at the time the transaction was last updated. Now, transactions expire on the set Expiry Date at the time the transaction was last updated, and not at 4:00 AM GMT. (refs PB-116514)

Signers

• We have resolved a problem where the default value of a field would not appear during the signing ceremony when conditions were linked to that field. (refs PB-114666)

Vaulting

• An EDEPOSIT_FAILURE callback message was sometimes reported when optional fields in a transaction were missing. As these fields were optional, this warning should not have appeared. This has been corrected. (refs PB-114578)

Vulnerabilities

We have addressed an issue where a transaction having a name that starts with any of the characters listed below would result in a formula being applied in the downloaded report. Now when a transaction name starts with any of the following symbols it will be preceded with a ' in the downloaded report. (refs PB-99804)