Verify a pack
Every Velin evidence pack is a single signed PDF. Anyone can verify it end-to-end without contacting Velin's servers — the math is the trust; we are just the producer.
What a passing verification proves
- 01The attached data is cryptographically signed by Velin.
- 02The signature is valid against Velin's published public key.
- 03The audit log chain is intact, hash-linked entry by entry from GENESIS through the export.
- 04Every historical approval is self-consistent: the asserted state hash matches a SHA-256 of the exact bytes the approver signed.
- 05The published public key body genuinely corresponds to its published fingerprint. The verifier independently recomputes sha256(public_key_bytes) and rejects any mismatch — this guards against deploy-time errors where the keys file is updated with the right fingerprint but the wrong key body.
Run it from the command line
From a developer's machine, with no network access required:
$ npx @usevelin/verify packages/verify/tests/fixtures/sybha-2026-0001-10f20663.pdf \
--public-key 7ae995d9f7ac61965eaa6e77c1aaad7e17e17a62d783d33c9f1411bfcd31a8ca
@usevelin/verify 1.0.0
packages/verify/tests/fixtures/sybha-2026-0001-10f20663.pdf
✓ Pack format ok
✓ Attachments ok
✓ Pack content hash ok
✓ Signature ok
✓ Audit chain ok
✓ Approvals ok
PASS — this pack is cryptographically valid.Passing --public-key skips the network fetch entirely. Once usevelin.com is live, the flag becomes optional — the verifier falls back to https://usevelin.com/.well-known/keys.json. Both paths run the same fingerprint cross-check.
Or verify in your browser
The same engine runs in the browser at app.usevelin.com/verify. Drag a pack PDF into the page; the file never leaves your machine, and the result appears in seconds.
Current platform key
Velin signs evidence packs with the Ed25519 key whose public half is published below.
- Public key (hex)
- 7ae995d9f7ac61965eaa6e77c1aaad7e17e17a62d783d33c9f1411bfcd31a8ca
- Fingerprint (sha256)
- 979cc2104eaabc192bf09e39d3d26bf4ad58f6a5628929fb8f1eb7810a20f2da
The full set of platform keys — current and historical — is published as JSON at /.well-known/keys.json.
Key rotation
Velin rotates the platform signing key annually. Every pack records the fingerprint of the key that signed it, so rotation does not invalidate historical packs. Every key Velin has ever used to sign a pack remains published at /.well-known/keys.json indefinitely — a pack signed under any past key continues to verify in perpetuity.