Changes in Behavior
Here are some of the changes in behavior that you might want to be aware of.
Name change for SMS OTP in Evidence Summary: If you are an API integrated user you should be aware that the name of the SMS OTP event that appears in the Audit Trail section of the Evidence Summary has changed. (refs PB-113072)
Former event name: Sent SMS
New event name: Sent SMS code
If you have already customized the Sent SMS label your customization will remain unchanged.
Compressed files can no longer be uploaded: Compressed file types (ZIP, RAR, 7Z) are now part of the list of blacklisted files. You can no longer upload these file types as transaction documents, supporting documents, or signer attachments. (refs PB-118307)
Additional Authentication Methods added to System Logs: The Access section of the System Logs now includes the following authentication methods for login events: (refs PB-118627)
Username/password
SSO
Default In-App Documentation: The in-app documentation widget introduced in Release 25.R4 is now enabled by default for all non-white labelled accounts (accounts that have not overridden the default Sender UI logo). (refs PB-119755)
De-activated link to our Privacy Center in the Electronic Consent document: We have de-activated the link to our Privacy Center that appears in the default Electronic Consent document. The URL to the Privacy Center still appears, but it is no longer clickable. (refs PB-120047)
Automatic redirect for Sender UI upon session expiry: Once a session expiry time has been reached the Sender UI will now redirect a user to either their session expiry URL, or to the Login page. (refs PB-120454)
Longer Callback URL Field: In response to changes made in Microsoft's Power Platform callback URL generation scheme we have increased the maximum number of characters allowed in the Callback URL field in the Event Notifications page of the Sender UI. You can now enter up to 1024 characters. (refs PB-121143)
Upcoming Changes
Here are some of the new features, changes and enhancements that we will be introducing in an upcoming release.
Expiring Signer Links: The link to a transaction that is sent to signers will soon have a configurable expiration time. The default time for these links to work will be three days, after which signers will have to request a new link. (refs PB-116117)
What’s New
Here are some of the new features and enhancements we have made for this release.
Ad Hoc Groups
SMS notifications are now available for recipients who are members of an Ad Hoc Group. (refs PB-118481)
Integrators
Integrators can now take advantage of the following new features:
Custom HTTP headers in callbacks: Callbacks can now use HTTP headers that have been customized by you. To enable this feature and create static header pairs (such as name, value), contact our Support Team. (refs PB-111291)
Name and description search parameters: You can now use the search parameter to search and filter the following calls by name and description: (refs PB-116909)
GET reports/transaction-summaryGET reports/sender-transaction-summary
Transaction, role, and document metadata can now be modified: You can now modify transaction, role, and document metadata, regardless of a transaction's status. This allows you to keep values up to date without needing to edit and resend transactions. To enable this feature, please contact our Support Team. The following call will do this: (refs PB-118662)
PUT <api-url>/api/packages/packageId/metadataPUT <api-url>/api/packages/packageId/documents/documentId/metadataPUT <api-url>/packages/packageId/roles/rolesId/metadataThere is a Known Issue where customized metadata cannot be cleared or removed. We will fix this in a future release.
Sender and signer hand drawn signatures can now be extracted with a transparent background: This means that when you subsequently apply these signatures to internal forms they do not obscure any other background data. The following call will do this: (refs PB-119130)
GET /api/packages/packageId/roles/roleId/signatureImage?transparent=trueGET /account/senders/senderId/signatureImage?transparent=true
Senders
Improved Recipient Layout: Each recipient is now displayed within a clearly defined bordered container. These borders visually separate recipients, making it easier to distinguish individual entries and review recipient details at a glance. (refs PB-117801)
By default, the Date field is now available in the Designer. Note that this change will not affect any accounts that already have a customized Designer. If you wish to enable the Date Field in a customized Designer contact our Support Team. (refs PB-118958)
Ability to hide OFAC details: You can now configure your account so that OFAC details are excluded from the Evidence Summary and from any OFAC related emails. To enable this feature, contact our Support Team. (refs PB-119957)
New Signature Type options: There are two new signature types that allows signers to choose their own Signature Style. These options are:
Choose Signature
Choose Initials
Signer Experience
Optional signatures are no longer included in the unsigned signatures prompt: For clarity, if an optional signature has been disabled during the course of signing a transaction (for example, if a met condition negates the need for the signature) this signature is no longer included in the prompt that warns signers there are still signatures needed. (refs PB-110073)
Transaction signers now have the option to select their preferred signing method from a set list of choices. The following new options are now available: (refs PB-115749)
NOTE: Text tag extraction is not supported with this new feature.Styling (choose font)
Drawing
In a future release the following additional options will be available:Uploading images
Mobile
Supporting Documents
With this release we continue to improve our new Supporting Documents feature. Here are some of the enhancements you can find in this release: (refs PB-118690)
You can now manage supporting documents from the Designer.
Supporting documents are now included in the documents email package.
The Evidence Summary now tracks Supporting Documents, including all document download events.
Supporting documents can be downloaded from the Thank You page.
We have added support for using and configuring Supporting Documents with Java and .NET SDK.
Authentication
Improved oAuth2 Authentication: OneSpan Sign now ensures that mTLS requests sent over oAuth2 are made using a trusted certificate. This applies to API calls only. (refs PB-117591)
Delegate access to Signer Experience using an Authentication Token: You now have the ability to generate a delegated signing session token. Both single use and multi-use tokens are supported. This feature is also available using Java. (refs PB-117620)
The following API calls will do this:Endpoint POST /api/authenticationTokens/signer/singleUseEndpoint POST /api/authenticationTokens/signer/multiUseSupport for Multiple mTLS certificates: You can now define two mTLS (fingerprint) certificates per account. This applies to API calls only. (refs PB-117829)
Custom headers for Callbacks and more parameters for OAuth 2.0 authentication: You can now add Custom Headers to your call back request, which can add greater control, security, and even context to your requests. In addition, when using OAuth 2.0, you can now define the location of the credentials sent when making requests to the authorization server. Options are Authorization Header, where credentials are sent in the HTTP Authorization header, or Form-Data, where credentials are sent in the Request Body. For more information, see Managing Event Notifications. (refs PB-111255)
Configurable Default Settings
In Release 25.R5 we introduced Configurable Default Settings. In this release we continue to expand on this functionality.
Due to internal policies or external regulatory requirements transactions often require configuration settings that differ from the OneSpan Sign default settings. Failure to configure transactions correctly can lead to non-compliance, legal exposure, or even security vulnerabilities such as impersonation due to incorrect authentication settings. As such, Senders use to have to manually adjust these settings, introducing the possibility of oversight.
Now though, OneSpan Sign allows you to define default values for the most commonly used transaction settings. This feature helps organizations align with internal standards, reduce the risk of human error, and ensure consistent compliance without relying on individual Senders to manually adjust settings for each transaction.
For more information see Configuring Default Admin Settings.
In addition to the settings introduced in Release 25.R5, the following settings can now also be configured with your own default settings: (refs PB-117447)
Authentication Methods
SMS
Q&A
IDV
SSO
Q&A+SMS
Notifications Method for SMS
If these settings are configured, the Sender UI will prompt you to enter in any information that is required due to these configurations. For example, if the default authentication method is set to SMS, a label will appear indicating that a recipient’s phone number is required. (refs PB-1118920)
To enable this feature and to configure your defaults, contact our Support Team.
Note:
The new default settings will be applied to all transactions, templates, senders, and Ad Hoc Groups created AFTER the default settings were added.
The new default settings will NOT be applied to all transactions, templates, senders, and Ad Hoc Groups created BEFORE the default settings were added.
These default values can be overridden for specific transactions using either the Sender UI, or when using APIs.
When using APIs or integration, if a Sender does not mention a value, the default Admin value will be used.
When using APIs or integration, if a Sender DOES mention a value, the default Admin value will be overriden.
Bug Fixes
The following issues were resolved in this release:
Accessibility
We have resolved some issues affecting the aria-owns attribute and external links in the Signer Experience. (refs PB-118378)
We have fixed several other accessibility issues that were affecting the Signer Experience. (refs PB-118378)
Integrators
If the Allow signer to download evidence summary feature is enabled signers who are also the transaction owner were unable to download the evidence summary using APIs. This has been fixed. (refs PB-119192)
Using an API to fetch documents after the Document Visibility screen was accessed no longer results in a 404 error. (refs PB-120763)
Senders
A Master Key Error no longer appears when the session for an account with a private key expires. (refs PB-114492)
We have improved the copy and paste functionality in the Designer. (refs PB-114492)
We have fixed an issue in the Dutch language version of the Welcome Tour. In previous versions users were presented with two buttons, both of which said “Rondleiding Overslaan” (Skip Tour). Now, the buttons say Rondleiding Overslaan” (Skip Tour) and “Rondleiding Starten” (Start tour). (refs PB-120586)
Signer Experience
We have fixed an issue where a stored signature would not always appear in the Signer Experience. This occurred when an account sender was assigned a transaction to sign, accessed the Signer Experience through the link provided to them by email, and then signed the transaction using their stored signature. If they then canceled out of the Signer Experience and then attempted to once again sign their stored signature would not appear. (refs PB-106991)
Known Issues
Customized document metadata cannot be removed. (refs PB-121551)
Vulnerabilities
This release also includes important security and vulnerability fixes.