Skip to main content

Digital document signing

Sign and prove documents - no software to install.

Raytio provides PDF signing in the browser and two layers of digital signature: Raytio signs the data it vouches for (verification results, webhook payloads) with keys held in hardware, and every user holds a device-bound signing key to prove they authored or approved their own data.

How it works

  1. Sign a PDF directly in the browser - nothing to install.
  2. When Raytio verifies a fact, the result is signed server-side (RSA-PSS SHA-512, keys held in AWS KMS hardware - they cannot be exported).
  3. A recipient fetches Raytio's public key and verifies the signature against the canonical data - confirming it is genuine and unaltered, without asking us.
  4. Each user also holds a private signing key, encrypted so it never leaves their device - so nobody, including Raytio, can forge a signature on their behalf.

Why Raytio

Two chains of trust

Server-side signing proves Raytio vouches for a fact; client-side signing proves a specific person authored it.

Keys that can't be exported

Raytio's signing keys live in hardware security modules; user keys live encrypted on user devices.

Deterministic verification

Data is serialised as canonical JSON, so the same data always verifies the same way, in any system.

Verify · Share

Verified customers, protected data, and agents you can hold to account.