DEV Community

Deepstamp
Deepstamp

Posted on

Building document authenticity verification as a SaaS API - lessons learned

#api #webdev #security #saas

At Deepstamp, we're building what we call "the HTTPS for documents" — an API that certifies the integrity of PDF files at emission, so recipients can verify authenticity independently.

Here's what we learned building it.

The core architecture

Two endpoints. Stateless. Fast.

POST /certify
Takes a PDF file. Returns a certificate ID and a cryptographic fingerprint (SHA-256 of the file content + timestamp + issuer metadata). Under 2 seconds p95.

POST /verify
Takes a PDF file and a certificate ID. Returns whether the file matches the certificate — meaning it hasn't been modified since certification.

No file storage. We never store the document itself — only the fingerprint and metadata. This was a hard requirement from day one. GDPR, but also trust: your documents never leave your infrastructure.

The hard part — designing for longevity

The obvious trap: if verification depends on your infrastructure being up, your certificates are only as reliable as your uptime.

We designed verification to be as infrastructure-independent as possible. The goal: a document certified today should still be verifiable in 10 years, regardless of what happens to Deepstamp.

This shapes everything — the cryptographic primitives we chose, how we structure the certificate metadata, what we embed in the document footer.

Integration in practice

The integration pattern for a SaaS emitting invoices:

  1. User triggers invoice generation
  2. Your backend generates the PDF
  3. POST to /certify with the PDF buffer
  4. Receive certificate_id back (< 2s)
  5. Embed certificate_id in the invoice footer ("Verify on deepstamp.fr/verify")
  6. Send the invoice to your customer

Your customer can now drag-and-drop the PDF on deepstamp.fr/verify and get instant confirmation that the file is authentic.

What surprised us

Recipients actually use it. We expected verification to be a rarely-used edge case. It turns out that when you give people an easy way to verify a document, they do — especially accountants and legal teams.

The trust infrastructure for documents is being built now. If you're working on something similar or want to integrate: deepstamp.fr/developers

Top comments (0)