Public verification
Every recipient can verify, no account required
A seal that only the issuer can verify is not a seal — it is a private claim. We expose a public verification API that any recipient (a building inspector, a client, a regulator) can hit without logging in. No account, no friction, no dependency on EngineeringID being there in the future. Just bytes, hashes, and PKI.
Executive summary
POST /v1/verify/pdf accepts a hash and a verification code. It returns whether the seal is valid, who issued it, and when. It is rate-limited (60/min/IP), CORS-permissive on this route only, and works without authentication.
For the truly paranoid case (or an EngineeringID outage), verification works fully offline: the X.509 signature, the RFC 3161 timestamp token, and the embedded certificates are all the verifier needs. Acrobat does this natively. So does openssl. So does any standard X.509 toolchain.
Our commitments
Five rules for the verification surface
No account required
The verifier is the recipient — a building inspector, a counterparty, a regulator. Forcing them to create an account creates exactly the friction that makes verification not happen.
Verification is offline-capable
Our infrastructure can disappear and the seal still verifies. The X.509 + RFC 3161 envelope is self-contained; any X.509-aware tool can verify without contacting us.
The verification answer is unambiguous
Three states: valid, tampered, not_found. No 'mostly valid' or 'valid with warnings.' If anything in the integrity chain is off, the answer is tampered.
Verification leaks nothing about the document
The verify endpoint returns issuer credentials, seal time, and validity — never the document content, never sensitive metadata. A leaked verification code does not expose what was sealed.
Rate limits protect, do not punish
60 requests per minute per IP is more than any legitimate verifier needs and less than any abuser wants. If you have a reason to need more, talk to us.
Implementation — the public API
What the verify endpoint actually does
Implementation — the verification surfaces
Where verifiers actually run
The full picture
What is built, what is being built, and what we chose not to build
Live today
POST /v1/verify/pdf public API
LiveNo auth, rate-limited, CORS-permissive on this route only.
Public web verification page
LivePaste a code or upload a PDF; non-technical-recipient-friendly UI.
Offline verification via standard PKI tools
LiveX.509 + PKCS #7 + RFC 3161 — Acrobat, openssl, any X.509-aware tool works without us.
Audit-logged verification requests
LiveEvery verify call records source IP, code prefix, result, and response time to a per-org verification log queryable by the issuing org. Verification activity is separate from the hash-chained audit_logs surface used for sealing, MFA, and credential-manifest events; chaining verify requests is on the roadmap.
Building now
Chrome Web Store extension
Building nowBuilt in repo at extensions/chrome (Manifest V3); store listing pending.
Scan active tab PDFs, paste code, drop-PDF on popup.
Adobe Acrobat plugin
Building nowBuilt in repo at extensions/acrobat (UXP Manifest v5, Acrobat DC 22.0+); exchange listing pending.
Verify active document, paste code.
iOS / macOS / Android verification apps
Building nowNative mobile and desktop apps for site inspectors and on-the-go verification.
gRPC client contracts are locked at v1; native UI is the build target.
Bulk verification API
Building nowSubmit a list of (hash, code) pairs; receive a paginated batch result. Useful for archive audits.
Verification result signing
Building nowThe verify endpoint signs its response so the verifier can prove they got a real answer from us, not an MITM-injected reply.
Roadmap
QR-code on the visible seal
RoadmapOptional embedded QR linking to the verification page. Many engineers prefer the seal's existing visual cleanliness; opt-in by org.
Customer-rooted verification API
RoadmapSelf-host a thin verifier in the customer's environment for fully air-gapped verification when our endpoint cannot be reached.
Federated cross-issuer verification
RoadmapIf two compliant platforms exist, a recipient should be able to verify either. Working with peer issuers on a common verification protocol.
Considered & rejected
Account-required verification
Considered & rejectedForcing a counterparty to create an account is the easiest way to make verification not happen.
Why we rejected it: the verifier is not our customer. We do not need to "engage" them. We need them to confirm a seal in three seconds and move on. Friction at the verification step undermines the entire reason the seal exists.
Returning the document content from the verify endpoint
Considered & rejectedThe verify endpoint should confirm validity, not reveal what was sealed.
Why we rejected it: a leaked verification code does not become a leaked document. Validity confirmation is a different question from "show me the document." We answer the first one publicly; the second one requires authentication and authorization.
"Premium verification" tier with faster response
Considered & rejectedCharging for verification is charging the wrong party.
Why we rejected it: the verifier is the recipient — a regulator, a counterparty, an inspector. Charging them to verify the seal someone else sent is exactly backwards. Verification is free at the API; rate-limiting protects the system, not the wallet.
"Verified by EngineeringID" badge that just says it's good
Considered & rejectedA trust badge that does not confirm cryptographic validity is decoration, not verification.
Why we rejected it: every "verified by us" badge that does not perform the underlying check is just a logo. The verification API checks the actual hash and signature; it returns a fact, not a feeling.
Compliance mappings
Controls this surface satisfies
Detection of Anomalies
Verification request log surfaces unusual access patterns
Cryptographic controls
X.509 + RFC 3161 verification primitives are NIST/IETF-standardized
Signature manifestation
Verification surfaces signer credentials and seal time
Consumer disclosure
Verification is freely accessible to any recipient
Admissibility in evidence
Verifiable record by independent X.509 toolchain
For compliance teams
Questions you do not need to call to ask
Does the recipient need an account to verify?
What if EngineeringID is down or no longer exists?
What information does the verify endpoint reveal?
What's the rate limit and is it negotiable?
Are verification requests logged?
audit_logs
table that holds sealing, MFA, and credential-manifest events; folding verify requests into the same chain is on the roadmap.
Can a verifier prove they got a real answer from us, not an MITM?
Does the verification API support batch requests?
Verification that works for the recipient
Try the public verification page or download the Chrome / Acrobat plugin to see it in your existing workflow.