The latest articles on DEV Community by Deepstamp (@deepstamp). https://dev.to/deepstamp https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3906837%2F8e52ccb3-81ee-4404-b737-292713b35776.png https://dev.to/deepstamp en Deepstamp Fri, 01 May 2026 16:48:45 +0000 https://dev.to/deepstamp/building-document-authenticity-verification-as-a-saas-api-lessons-learned-3nnd https://dev.to/deepstamp/building-document-authenticity-verification-as-a-saas-api-lessons-learned-3nnd <p>At Deepstamp, we're building what we call "the HTTPS for documents" — an API that certifies the integrity of PDF files at emission, so recipients can verify authenticity independently.</p> <p>Here's what we learned building it.</p> <h2> The core architecture </h2> <p>Two endpoints. Stateless. Fast.</p> <p><strong>POST /certify</strong><br> Takes a PDF file. Returns a certificate ID and a cryptographic fingerprint (SHA-256 of the file content + timestamp + issuer metadata). Under 2 seconds p95.</p> <p><strong>POST /verify</strong><br> Takes a PDF file and a certificate ID. Returns whether the file matches the certificate — meaning it hasn't been modified since certification.</p> <p><strong>No file storage.</strong> We never store the document itself — only the fingerprint and metadata. This was a hard requirement from day one. GDPR, but also trust: your documents never leave your infrastructure.</p> <h2> The hard part — designing for longevity </h2> <p>The obvious trap: if verification depends on your infrastructure being up, your certificates are only as reliable as your uptime.</p> <p>We designed verification to be as infrastructure-independent as possible. The goal: a document certified today should still be verifiable in 10 years, regardless of what happens to Deepstamp.</p> <p>This shapes everything — the cryptographic primitives we chose, how we structure the certificate metadata, what we embed in the document footer.</p> <h2> Integration in practice </h2> <p>The integration pattern for a SaaS emitting invoices:</p> <ol> <li>User triggers invoice generation</li> <li>Your backend generates the PDF</li> <li>POST to /certify with the PDF buffer</li> <li>Receive certificate_id back (&lt; 2s)</li> <li>Embed certificate_id in the invoice footer ("Verify on deepstamp.fr/verify")</li> <li>Send the invoice to your customer</li> </ol> <p>Your customer can now drag-and-drop the PDF on deepstamp.fr/verify and get instant confirmation that the file is authentic.</p> <h2> What surprised us </h2> <p><strong>Recipients actually use it.</strong> We expected verification to be a rarely-used edge case. It turns out that when you give people an easy way to verify a document, they do — especially accountants and legal teams.</p> <p>The trust infrastructure for documents is being built now. If you're working on something similar or want to integrate: deepstamp.fr/developers</p> security api saas webdev