Step 1 Drop the .signet sidecar
The JSON attestation file produced by the signer. Required.
.signet file here, or click to chooseStep 2 Drop the original file (optional but recommended)
The file the .signet attestation was made over. Without it we can still verify the cryptographic signatures and the biometric event, but we cannot prove the .signet attestation matches your actual file. Adding it activates the file-hash check.
What we check
1. Cryptographic layer. We re-canonicalize the payload (sorted keys, no whitespace), compute its SHA-256, and verify the embedded Ed25519 signature against the published public key. If this passes, we know the payload has not been altered since signing and the signer holds the private key matching the public key in the artifact.
2. Biometric layer (WebAuthn). We verify the WebAuthn assertion: that its clientDataJSON.challenge matches the SHA-256 of the canonical payload, and that the userVerified flag in the authenticator data is set (meaning a real biometric was used). We do not re-verify the WebAuthn public-key signature in Tier 1 (the enrollment attestation chain would let us, but it adds substantial parsing — slated for the enterprise verifier API).
3. File-hash integrity (if original provided). We hash the original file and compare to the originalFile.sha256 field inside the signed payload. A match proves the .signet was made over this exact file.
What a passing result means
If all three layers pass: the signer with the published public key authored or authorized the specific file you provided, with a verified biometric event, at the timestamp in issuedAt. The proof is mathematical, not relational — it doesn't depend on idregulators.com remaining online.
Verifying without our help
Every check above is reproducible offline with open libraries. Use Python cryptography (Ed25519), Node noble-ed25519, Rust ed25519-dalek, or OpenSSL. The canonical-JSON discipline is sorted-keys + minified UTF-8. This page is convenience; the math is what matters.