PDF Verification SDK|Read the docs

Verify PDF Digital Signatures.
Entirely Client-Side.

A JavaScript and TypeScript SDK for verifying digitally signed PDFs — powered by Rust/WASM in the browser, native on Node.js. No server round-trips. No external dependencies. PAdES conformance detection built in.

Get Started Live Demo

Quick Start

import { VerifyKitProvider, Viewer, WelcomeScreen,
  useVerification, defaultLayoutPlugin } from '@trexolab/verifykit-react'
import '@trexolab/verifykit-react/styles.css'

function App() {
  return (
    <VerifyKitProvider config={{ theme: { mode: 'system' } }}>
      <PdfViewer />
    </VerifyKitProvider>
  )
}

function PdfViewer() {
  const verification = useVerification()
  const [layout] = useState(() => defaultLayoutPlugin())

  if (!verification.fileBuffer) {
    return <WelcomeScreen onOpenFile={(f) => verification.load(f)} />
  }

  return (
    <Viewer
      fileBuffer={verification.fileBuffer}
      fileName={verification.fileName}
      plugins={[layout.plugin]}
      onOpenFile={(f) => verification.load(f)}
      initialState={{
        signatures: verification.signatures,
        verificationStatus: verification.status ?? undefined,
      }}
    />
  )
}

Verification Pipeline

Every signature is validated through a comprehensive 8-check pipeline. Each check is independent and produces its own status.

Integrity

Validates the cryptographic hash of the signed content has not been tampered with.

Signature

Confirms the cryptographic signature is mathematically valid against the signer's public key.

Certificate Chain

Verifies the certificate chains to a trusted root CA from the built-in AATL store.

Expiry

Checks that all certificates in the chain were valid at signing time.

Timestamp

Validates the RFC 3161 timestamp token is present and cryptographically sound.

Revocation

Ensures the signing certificate has not been revoked via CRL or OCSP responses.

Algorithm

Enforces minimum cryptographic strength — no MD5/SHA-1, RSA keys >= 2048 bits.

EKU

Confirms the Extended Key Usage extension permits document signing.

Features

Zero Server Dependency

All crypto runs client-side in WASM. No server round-trips, no external services, no data leaves the browser.

WASM-Powered

3.7x faster than JavaScript. The Rust/WASM core handles all cryptographic operations with zero npm runtime dependencies.

Built-in Trust Store

Ships with 119 AATL root certificates plus Indian CCA hierarchy. Certificate chain validation works out of the box.

Plugin Architecture

24 composable viewer plugins. Disable what you don't need, extend with custom plugins. Fully tree-shakeable.

PAdES Conformance

Detects B-B, B-T, B-LT, and B-LTA conformance levels. Full LTV and document timestamp support.

Framework Agnostic

First-class React support, plus a vanilla API that works with any framework or plain HTML via CDN.

Packages

@trexolab/verifykit-core

Rust/WASM verification engine. Zero-dependency cryptographic core.

npm i @trexolab/verifykit-core

@trexolab/verifykit-react

React components, hooks, and full PDF viewer with 24 plugins.

npm i @trexolab/verifykit-react

@trexolab/verifykit-vanilla

Framework-agnostic. Drop-in viewer via CDN or bundler.

npm i @trexolab/verifykit-vanilla

@trexolab/verifykit-plugin-revocation

Server-side CRL/OCSP proxy for online revocation checking.

npm i @trexolab/verifykit-plugin-revocation

Use Cases

Legal & Compliance

Validate eIDAS qualified electronic signatures and ESIGN Act compliant documents. Verify PAdES conformance levels (B-B through B-LTA) for long-term archival. Ideal for contract management, notarization platforms, and regulatory document workflows.

Enterprise & Government

Integrate PDF signature verification into enterprise portals, government e-services, and document management systems. Support custom Certificate Authorities alongside the built-in 119 AATL root certificates. Run headless verification in CI/CD pipelines.

Developer Tools & SaaS

Embed a complete PDF viewer with signature verification into your SaaS product. Drop in with a single CDN script tag or use the React component library with 24 composable plugins. Full theming, internationalization (7 locales), and accessibility support.

Technical Highlights

3.7x Faster

Rust/WASM core outperforms pure JavaScript PDF verification engines. All cryptographic operations run in a sandboxed WASM environment.

Zero Config

Base64-embedded WASM binary — no bundler configuration needed. Works with Vite, webpack, Next.js, Turbopack out of the box.

Privacy First

PDF bytes never leave the user's device. No telemetry, no analytics, no third-party services. WASM sandbox provides memory isolation.

Full Stack

Browser verification with React or vanilla JS. Server-side with Node.js, Deno, or Bun. Same API, same verification results, any runtime.

Frequently Asked Questions

How do I verify a digitally signed PDF in the browser?+

VerifyKit lets you verify digitally signed PDFs entirely in the browser using JavaScript and WebAssembly. Install the npm package, add the React viewer or vanilla JS drop-in to your page, and load a signed PDF — signatures are verified automatically through an 8-point pipeline covering integrity, cryptographic validity, certificate chain trust, expiry, timestamps, revocation, algorithm strength, and key usage. No server upload required.

Does it show the green checkmark like Adobe Acrobat?+

Yes. VerifyKit supports Acro6 layer appearance swapping — the same mechanism Adobe Acrobat uses to display signature status icons. After verification, the viewer renders a green checkmark for valid signatures, a red cross for invalid, and a yellow question mark for unknown status, directly on the signature field in the PDF. This works for both legacy (n1 layer) and Acro6 (FRM/n0 layer) signature structures.

What does the 8-point verification pipeline check?+

Every signature is checked across eight independent dimensions: (1) Integrity — detects any post-signing tampering, (2) Signature — validates the CMS/PKCS#7 cryptographic signature, (3) Certificate Chain — verifies trust to one of 119 Adobe AATL root CAs, (4) Expiry — confirms certificates were valid at signing time, (5) Timestamp — validates RFC 3161 timestamp tokens, (6) Revocation — checks CRL/OCSP status, (7) Algorithm — enforces SHA-256+ and RSA 2048+, (8) EKU — confirms the certificate permits document signing.

Can I verify PDF signatures in Node.js without a browser?+

Yes. The @trexolab/verifykit-core package provides a headless API that runs in Node.js 20+, Deno, and Bun with zero DOM dependencies. Use createVerifier() and verify() to process signed PDFs server-side — ideal for batch processing, CI/CD pipelines, automated compliance checks, and API-driven validation workflows.

What is PAdES and does VerifyKit detect conformance levels?+

PAdES (PDF Advanced Electronic Signatures) is the European standard (ETSI EN 319 142) for electronic signatures in PDF. VerifyKit detects four conformance levels: B-B (basic signature), B-T (with trusted timestamp), B-LT (with embedded validation data for offline verification), and B-LTA (with archival timestamps for 10+ year validity). This is essential for eIDAS compliance and long-term document archival.

Is my PDF data safe? Does it get uploaded anywhere?+

PDF bytes never leave your device during verification. All cryptographic operations run inside a WebAssembly sandbox in the browser — no server round-trips, no third-party services, no telemetry, no analytics. The only optional network requests are for AIA certificate chain resolution and online revocation checking, which fetch certificate infrastructure data, not document content.

What frameworks and browsers are supported?+

VerifyKit supports React 19+ with a full component library and hooks, vanilla JavaScript via CDN or bundler (compatible with Vue, Angular, Svelte, or plain HTML), and headless Node.js/Deno/Bun. Browser support includes Chrome 109+, Firefox 115+, Safari 16.4+, and Edge 109+. The Rust/WASM core is 3.7x faster than pure JavaScript alternatives.

Can I use my own Certificate Authority for verification?+

Yes. VerifyKit ships with 119 Adobe Approved Trust List (AATL) root certificates built into the WASM binary. You can extend this with your own root CAs using merge mode (adds alongside AATL roots) or replace mode (uses only your CAs). This supports enterprise deployments with internal PKI, government CAs, and custom trust hierarchies.

How do I integrate VerifyKit with my existing application?+

For React apps: install @trexolab/verifykit-react, wrap your app with VerifyKitProvider, and add the Viewer component. For any website: add a single CDN script tag with @trexolab/verifykit-vanilla and call VerifyKit.create(). For server-side: install @trexolab/verifykit-core and use the headless API. All packages work with npm install — no native add-ons or build tool configuration needed.

Is VerifyKit suitable for eIDAS and ESIGN Act compliance?+

VerifyKit implements the cryptographic verification checks required for eIDAS (EU 910/2014) and ESIGN Act (US) compliance. It supports PAdES conformance detection (B-B through B-LTA), qualified certificate validation, CRL/OCSP revocation checking, and long-term archival verification. Combined with the 8-point verification model, it provides the technical foundation for legally binding electronic signature workflows.

Start Verifying PDF Signatures Today

Get up and running in under 5 minutes. Install via npm, add the React component or CDN script, and verify your first PDF.