Applications & Signatures

DoorStax provides a complete rental application system with custom form builder, email verification, digital signatures, PDF generation, and document uploads.

Overview

The applications system lets PMs define custom application templates per property or unit, send email-verified magic links to applicants, collect digital signatures, generate branded PDFs, and track the full funnel from request to submission.

Application Flow

  1. PM creates/customizes an ApplicationTemplate with fields and document requirements
  2. PM assigns the template to units or properties (cascade: unit → property → PM default)
  3. Applicant visits /apply/[unitId] and enters their email
  4. System sends a branded magic link via Resend (24h expiry, single-use)
  5. Applicant clicks the link — PM is notified of the click
  6. Applicant fills out the form, uploads required documents, signs (canvas + typed name)
  7. Submission triggers PDF generation and PM email notification with PDF attached
  8. PM reviews and approves/denies; approved applications copy PDF to the tenant profile

Custom Form Builder

PMs build application templates with a drag-and-drop field editor. Fields support 8 types:

TEXT
TEXTAREA
SELECT
CHECKBOX
NUMBER
DATE
EMAIL
PHONE

The template editor includes a live preview panel (50% width) that renders the form in real-time as the PM adds/edits/reorders fields.

Security Features

  • Disposable email blocklist — 30+ throwaway domains blocked
  • Rate limiting — 3 magic links per email/24h, 10 per IP/hour
  • Honeypot field — hidden from humans, silently blocks bots
  • Single-use tokens — 24-hour expiry, marked used on submission
  • IP + User Agent tracking — captured for signature verification

Digital Signatures

Applications require both a drawn signature (HTML canvas, touch-enabled) and a typed full legal name. A legal attestation checkbox must be accepted before the signature pad activates.

typescript
// Submission body includes signature + verification metadata
{
  applicantName: "John Smith",
  applicantEmail: "john@example.com",
  token: "abc123...",                    // Magic link token
  signatureImage: "data:image/png;...",  // Base64 PNG
  signatureTypedName: "John Robert Smith",
  uploadedDocumentIds: ["doc1", "doc2"],
  answers: [
    { fieldId: "field1", value: "..." },
    ...
  ]
}
// Server captures:
// - ip (from x-forwarded-for)
// - userAgent (from headers)
// - signedAt (timestamp)

PDF Generation

After submission, a branded PDF is generated via jsPDFwith the DoorStax header, all field answers grouped by section, the drawn signature image, typed name, and a digital verification box containing timestamp, IP address, and user agent.

API Endpoints

Template Management

  • GET/POST /api/applications/templates
  • GET/PUT/DELETE /api/applications/templates/[id]
  • GET/POST /api/applications/templates/[id]/documents
  • PUT/DELETE /api/applications/templates/[id]/documents/[docId]

Public Apply Flow (no auth)

  • POST /api/apply/[unitId]/request — Send magic link
  • POST /api/apply/[unitId]/validate-token — Verify token
  • GET /api/apply/[unitId]/fields — Get resolved template fields
  • GET /api/apply/[unitId]/documents — Get required document list
  • POST /api/apply/[unitId]/upload — Upload document to Vercel Blob
  • POST /api/apply/[unitId]/submit — Submit completed application

Auto-Reminders

The /api/cron/application-reminders cron runs every 6 hours and emails applicants who started but didn't finish, with configurable delay, interval, and max count per template. Only sends while the unit is still available.