Sign Agreement Filters & Folders, Combined Document Download & Sign API Hardening

This week's release ships agreement folders and filtering improvements in Propper Sign, a combined document download endpoint for DocuSign-compatible clients, a wide set of Sign API hardening fixes (template responses, recipient role mapping, error propagation), and a critical security patch for the sanitize-html dependency.

Propper Sign Enhancements

• Agreement Folders & Filters. Agreements can now be organized into folders, and the agreements list adds richer filtering — including a multi-value status filter, with the ability to toggle a status filter off by clicking it again to reset to ALL. The signing-page header is now pinned in place when scrolling long documents, and status badges grow vertically to accommodate multiline content.
• Preserve Source Documents on Send. Agreements now persist their source documents through the send flow, inherit their template type, and echo the document name back on the response — fixing several drift issues that were causing follow-up downloads and traceability calls to miss metadata.
• Correct Annotation Placement on Rotated PDF Pages. Fixed a bug where tags placed on pages with a rotation flag would render at the wrong coordinates on the signed document.
• Template Identity Provider Auth Preserved. Templates that require a specific identity provider now correctly preserve the IdP setting through template clone, send, and resend.

Sign API

• Combined Document Download for DocuSign Envelopes. sign-api now implements the combined-document download endpoint expected by DocuSign-compatible clients — a single PDF containing every signed document on the envelope. API reference
• POST /v1/sign/templates. Create an empty Sign template via API — the missing companion to the existing template import endpoints, useful for programmatic template lifecycles.
• clientUserId Honored on Inline Envelopes. Inline-signing envelopes now honor the caller's clientUserId, and the view-session TTL has been raised to 60 minutes so longer embedded signing flows don't time out mid-session.
• templates/{id}/send is stricter and richer. The endpoint now returns recipients in the response, populates roles[] on template list/get, rejects fieldless templates with a clear error, and honors body.name when creating an agreement from a template. templates/import accepts both upper- and lower-case field types.
• VIEWER Recipients Map to CARBON_COPY. The API now translates VIEWER recipient roles to the underlying CARBON_COPY representation before forwarding to the BFF, so DocuSign-style integrations get consistent behavior.
• 402 PAYMENT_REQUIRED Propagates Through gen-and-send. Plan-limit errors are now propagated correctly through sign-api instead of being masked as 500s, so integrators can react to billing-state responses programmatically.
• Multi-Value status Filter on GET /sign/agreements. The BFF now accepts a multi-value status query parameter on the agreements list endpoint, matching the new web filter behavior.
• Hardened OAuth Scope Validation. client_credentials token requests now reject invalid scopes up front, and a stale BFF service:admin scope bypass was removed from the authorization path.

Platform

• Background Polling Pauses When Tab Is Hidden. The web app no longer polls /api/auth/me while the browser tab is in the background, reducing battery drain and unnecessary backend load.
• Help Menu Accessibility. The top-bar Help menu trigger now exposes an aria-label so it reads correctly under screen readers and assistive tech.

Security

• Critical XSS Patch (CVE-2026-44990). sanitize-html has been bumped to 2.17.4 across the platform to patch a critical XSS vulnerability in HTML rendering paths.
• Click webhookSecret Redacted on Settings GET. The Click organization-settings GET response no longer echoes the configured webhookSecret value back to clients. Existing secrets continue to function — only the read path is redacted.

See these improvements in action. Book a demo to see how Propper Sign and the rest of the platform work together, or start your free trial to get started today.