Signature — Resource electronic signature
Signature is a data type (not a standalone resource) that encodes a resource cryptographic signature. Used in Provenance, Bundle, Contract.
Purpose
Signature carries the electronic signature of a resource or Bundle. Supported formats: JWS (JSON Web Signature, RFC 7515, FHIR profile), XMLDSig (XML Signature), XAdES (XML Advanced Electronic Signatures, eIDAS).
The data field carries the binary base64 signature. targetFormat specifies what was signed (JSON vs XML). sigFormat specifies the signature format.
Key fields
| Field | Type | Cardinality | Role |
|---|---|---|---|
type | Coding[] | 1..* | Signature type (ISO 1.2.840.10065.1.12.1.* table). |
when | instant | 1..1 | Signature timestamp. |
who | Reference(Practitioner | PractitionerRole | RelatedPerson | Patient | Device | Organization) | 1..1 | Signer. |
onBehalfOf | Reference(...) | 0..1 | On-behalf-of party. |
targetFormat | code (MIME) | 0..1 | Signed format. |
sigFormat | code (MIME) | 0..1 | Signature format (application/jose, application/signature+xml). |
data | base64Binary | 0..1 | Base64 signature payload. |
JSON example
JWS signature of a clinical Bundle:
{
"type": [{
"system": "urn:iso-astm:E1762-95:2013",
"code": "1.2.840.10065.1.12.1.1",
"display": "Author's Signature"
}],
"when": "2026-05-16T14:30:00Z",
"who": { "reference": "Practitioner/dr-smith" },
"targetFormat": "application/fhir+json",
"sigFormat": "application/jose",
"data": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRyLXNtaXRoLWNlcnQifQ.eyJpYXQiOjE3NDc0...SIGNATURE-PAYLOAD"
} Common pitfalls
- targetFormat missing: JSON vs XML ambiguity — signature can be invalid for the reconstructed format.
- who without published certificate: cannot verify the signature on the receiving side.
- Re-serialisation breaking: in FHIR JSON, key order can break the signature. Always use canonicalisation (JCS, RFC 8785).
Related resources
- Provenance — Carries Signatures to trace authenticity.
- Bundle — Bundle.signature signs the whole bundle.
- Contract — Contractual signature.
- Verifiable Credentials — Compatible signature pattern (W3C VC + FHIR).