Solutions · Digital document signing
Digital document signing
Sign and prove documents - no software to install.
Raytio provides PDF signing in the browser and two layers of digital signature: Raytio signs the data it vouches for (verification results, webhook payloads) with keys held in hardware, and every user holds a device-bound signing key to prove they authored or approved their own data.
How it works
- Sign a PDF directly in the browser - nothing to install.
- When Raytio verifies a fact, the result is signed server-side (RSA-PSS SHA-512, keys held in AWS KMS hardware - they cannot be exported).
- A recipient fetches Raytio's public key and verifies the signature against the canonical data - confirming it is genuine and unaltered, without asking us.
- Each user also holds a private signing key, encrypted so it never leaves their device - so nobody, including Raytio, can forge a signature on their behalf.
Why Raytio
Two chains of trust
Server-side signing proves Raytio vouches for a fact; client-side signing proves a specific person authored it.
Keys that can't be exported
Raytio's signing keys live in hardware security modules; user keys live encrypted on user devices.
Deterministic verification
Data is serialised as canonical JSON, so the same data always verifies the same way, in any system.
Products used
Verified customers, protected data, and agents you can hold to account.