Auth
Sign in →1. Sign payload
Payload (JSON)
✓ Valid JSON
RFC 8785 canonical · SHA-256
—Geo anchoring
Opt-in to attach device GPS; otherwise server infers from IP
2. Verify (stateless)
Re-canonicalizes the payload server-side and recomputes both signatures. No DB lookup. For DB-backed verify + revocation check, open the public URL after signing.
Payload (JSON)
HMAC kid
HMAC sig
Ed25519 kid
Ed25519 sig
Use the API
Live snippets — copy and paste. Replace
$TOKEN with your bearer.# 1. health
curl -s https://aevion-production-a70c.up.railway.app/api/qsign/v2/health | jq
# 2. sign (idempotent)
curl -s -X POST https://aevion-production-a70c.up.railway.app/api/qsign/v2/sign \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: order-2026-04-28-001" \
-d '{"payload":{"artifact":"invoice-001","amount":1500.00,"currency":"USD"}}' | jq
# 3. public verify (no auth)
curl -s https://aevion-production-a70c.up.railway.app/api/qsign/v2/<signature-id>/public | jq
# 4. PDF stamp
curl -sL "https://aevion-production-a70c.up.railway.app/api/qsign/v2/<signature-id>/pdf?download=1" \
-o signed-<signatu.pdf
# 5. recent activity
curl -s https://aevion-production-a70c.up.railway.app/api/qsign/v2/audit?limit=20 \
-H "Authorization: Bearer $TOKEN" | jq
# 6. Prometheus metrics scrape
curl -s https://aevion-production-a70c.up.railway.app/api/qsign/v2/metricsHow QSign v2 works
- Your payload is canonicalized per RFC 8785 (JCS) — keys sorted, no whitespace, deterministic across clients.
- SHA-256 of the canonical form is signed with two independent keys: HMAC-SHA256 (shared secret) and Ed25519 (public verifiable).
- The signature row is persisted with issuer, geo, and key IDs. A shareable public URL verifies it without secrets.
- Keys rotate with an overlap window — retired keys remain valid for verifying historical signatures forever.
- Any signature can be revoked by its issuer (or admin). Revoked rows stay cryptographically valid but report
valid=false.