Every Fax Attestation is signed with an EC key and logged to an independent, append-only transparency log. Verify delivery offline with nothing but openssl.
FaxSeal includes a tamper-evident receipt PDF on every fax. Fax Attestation is a separate, enterprise-only feature that adds cryptographic signing and an independent public audit trail.
| Certified ReceiptFree · all plans | Fax AttestationEnterprise · partner API | |
|---|---|---|
| What it proves | Document content was not altered | Fax was sent and delivered at a specific time |
| Format | PDF receipt | JSON bundle with EC signature |
| Verification tool | faxseal.com/verify | openssl — no FaxSeal needed |
| Independent audit log | — | Sigstore Rekor (Linux Foundation) |
| Works offline | — | ✓ signature check only |
| PHI handling | N/A | Numbers & emails SHA-256 hashed before logging |
| API export | — | GET /api/v1/fax/:id/bundle |
See the proof timeline for any fax
After a fax is sent, go to your dashboard and click Verify → next to any delivered fax — or go directly to faxseal.com/verify/[jobId]. With attestation enabled, the page shows both Rekor entry IDs and bundle download links alongside the proof timeline.
Live demo
opensslDownload the bundle once. Disconnect from the internet. The signature either checks out or it doesn't — no FaxSeal infrastructure involved.
When your fax reaches the carrier, FaxSeal signs a payload containing a hash of the recipient number, sender identity, page count, and timestamp using an EC private key that never leaves our servers.
The signature is submitted to Sigstore Rekor — an independent, append-only transparency ledger. The send and delivery events are cryptographically signed and logged in a way that is tamper-evident and verifiable without contacting FaxSeal. Rekor issues a signed inclusion proof; neither FaxSeal nor anyone else can alter or delete this record after submission.
When the carrier confirms delivery, a second signed event is written: a SHA-256 hash of the delivered document, the delivery timestamp, and the Rekor entry ID from step 1. The two events form an auditable chain.
Download the attestation bundle for any fax. Verify the EC signature with openssl. No FaxSeal server, no Rekor connection, no trust required beyond the math.
One JSON file, self-contained. Everything needed to verify — no external lookups required for the signature check.
signedJsonExact bytes signed at send time — use verbatim for verification
signatureECDSA signature over SHA-256(signedJson), base64-encoded
publicKeyFaxSeal's EC public key in SPKI PEM format
rekorIdEntry UUID on Sigstore Rekor — independently verifiable
payload.event"fax.sent" or "fax.delivered" — the two events in the chain
payload.documentHashSHA-256 of the delivered document (delivery event only)
An open-source, append-only transparency log maintained by the Linux Foundation (the same organization behind the Linux kernel and Kubernetes). It has been production-grade since 2021 and is used by Google, Red Hat, and the broader open-source supply-chain security community.
None. Recipient fax numbers and sender emails are SHA-256 hashed before inclusion in public Rekor payloads. The hashes are one-way — they prove the number was involved without revealing it. Job IDs and page counts are logged in plain text.
No. Rekor is append-only by design. Once submitted, an entry is permanent and independently verifiable by anyone with the entry ID. FaxSeal has no write access to the log after submission.
The signature check (step 1 of verification) requires only openssl and the bundle — no network. Optionally, you can confirm the Rekor entry online for a stronger proof that the payload was logged before you received it.
Fax Attestation is available on the Enterprise plan for organizations and through the Partner API with the attestation flag enabled. Contact us to activate.
White Paper
The full technical case — competitor analysis, HIPAA breakdown, compliance use cases, and the complete two-event attestation architecture.
Available on the Enterprise plan. Contact us and we'll enable it for your organisation or partner integration.