## Classic workflow overview

In the **classic** One-Shot Signature workflow, an OTP is sent via SMS by Uanataca to the end user (or another approved authentication method is used). You upload PDF documents; the Optimizer hashes them, sends the hashes to Uanataca, and returns signed PDFs.

## Steps

1. **Retrieve an existing token for the RAO**
Call [List Tokens](/products/namirialpkiaas/one-shot/openapi#operation/call_list_tokens_api_v1_tokens_get) (`GET /oneshot/api/v1/tokens`) to list tokens. In sandbox, use the preconfigured token (e.g. `3bf8d8eb-d96c-41ea-83ad-d78a7016c7da`) in the Create Request call. In production, create tokens via [Create Token](/products/namirialpkiaas/one-shot/openapi#operation/call_create_token_api_v1_token_post).
2. **Create a new digital signature request**
Call [Create](/products/namirialpkiaas/one-shot/openapi#operation/call_create_api_v1_create_post) (`POST /oneshot/api/v1/create`) with the token (or RAO credentials), user data (e.g. `profile`, `given_name`, `surname_1`, `email`, `mobile_phone_number`), and identity document images (`document_front`, `document_rear`, `document_owner`). The response returns a request `pk` (e.g. `388141`).
3. **Upload documents**
Call [Upload Document](/products/namirialpkiaas/one-shot/openapi#operation/call_upload_document_api_v1_document__request_pk__post) (`POST /oneshot/api/v1/document/{request_pk}`) with `file=@doc.pdf` (or multiple `file`, `file2`, …). The response returns a `uid` per document.
4. **Retrieve service contract**
Call [Get Request Contract](/products/namirialpkiaas/one-shot/openapi#operation/call_get_request_contract_api_v1_contract__request_pk__get) (`GET /oneshot/api/v1/contract/{request_pk}/`) to obtain the service contract PDF (binary). The user must view this together with the documents to be signed.
5. **Generate OTP (Uanataca SMS only)**
Call [Generate OTP](/products/namirialpkiaas/one-shot/openapi#operation/call_generate_otp_api_v1_otp__request_pk__post) (`POST /oneshot/api/v1/otp/{request_pk}`). An SMS with the OTP is sent to the mobile number associated with the request.
6. **Sign the documents**
Call [Sign](/products/namirialpkiaas/one-shot/openapi#operation/call_sign_api_v1_sign__request_pk__post) (`POST /oneshot/api/v1/sign/{request_pk}`) with a JSON body. For Uanataca SMS: `{"secret": "123456", "signature": { "appearance": { ... } } }`. For other auth: include `ext_unlock_type` and `ext_unlock_value`. The certificate is issued and all uploaded documents are signed.
7. **Retrieve signed documents**
Call [Get Document](/products/namirialpkiaas/one-shot/openapi#operation/call_get_document_api_v1_document__request_pk___document_uid__get) (`GET /oneshot/api/v1/document/{request_pk}/{document_uid}?document_type=signed`) for each document to get the signed PDF (binary).
8. **Delete documents from the Optimizer**
Call [Delete Document](/products/namirialpkiaas/one-shot/openapi#operation/call_delete_document_api_v1_document__request_pk___document_uid__delete) (`DELETE /oneshot/api/v1/document/{request_pk}/{document_uid}`) for each document when no longer needed. The service does not delete files automatically; back up any file you want to keep before deleting.


## Other authentication methods

One-Shot can use authentication methods other than Uanataca SMS (subject to approval). In the sign call, send `ext_unlock_type` and `ext_unlock_value` instead of (or in addition to) the OTP secret. The exact values depend on the approved method (e.g. biometric).

## Related documentation

- [Workflows overview](/products/namirialpkiaas/one-shot/enterprise-documentation/products-and-modules/workflows/overview) — All workflow types
- [API reference](/products/namirialpkiaas/one-shot/openapi) — Full endpoint specification
- [Webhooks](/products/namirialpkiaas/one-shot/enterprise-documentation/developer-documentation/callbacks/webhooks) — Optional callbacks for status changes