Verification

Drop a signed document. We’ll tell you exactly what it is.

Validates PDF, XML, and ASiC signatures against the EU LOTL, Swiss ZertES, Adobe AATL, and Mozilla NSS. Detects eIDAS Qualified Electronic Signatures — legally equivalent to a handwritten signature across every EU member state. Free, no signup, no upload limit on the tool.

Try it now How it works

Coverage

30+ jurisdictions, every major signature standard.

Trust scope is fetched, signature-verified, and cached from the EU Commission’s List of Trusted Lists, the Swiss federal Trusted List, Adobe’s AATL snapshot, and Mozilla’s NSS bundle. Refreshed every 5 minutes via Vercel Cron.

🇪🇺

EU + EEA

30 jurisdictions

eIDAS LOTL · QES detection across all 27 EU member states + Iceland, Liechtenstein, Norway

🇨🇭

Switzerland

Federal TL

Swiss ZertES · Swisscom, SwissSign, QuoVadis CH, DigiCert Switzerland, Swiss Government PKI

🇬🇧

United Kingdom

tScheme + NSS

Legacy tScheme + commercial CAs via Mozilla NSS

🇺🇸

United States

NSS + AATL

DigiCert, Entrust, IdenTrust, GlobalSign US, Sectigo · ESIGN / UETA · no QES equivalent, but full attribution

Signature standards

PAdES▾

PDF Advanced Electronic Signatures — ETSI EN 319 142-1. The standard for signatures embedded inside a PDF.

XAdES▾

XML Advanced Electronic Signatures — ETSI EN 319 132-1. The standard for signatures over XML documents.

CAdES▾

CMS Advanced Electronic Signatures — ETSI EN 319 122-1. The standard for raw PKCS#7 / CMS signatures, often used inside ASiC containers.

ASiC▾

Associated Signature Containers — ETSI EN 319 162-1. ZIP-based containers carrying a signed document plus its detached XAdES or CAdES signature.

RFC 3161▾

Trusted timestamp protocol — proves a signature existed at a specific moment, independent of the signer.

eIDAS QES▾

Qualified Electronic Signature under EU Regulation 910/2014 — legally equivalent to a handwritten signature across every EU member state.

ZertES▾

Switzerland's federal e-signature law — the Swiss QES equivalent, recognised by the Confederation's Trusted List.

AATL▾

Adobe Approved Trust List — the CAs Adobe Acrobat trusts automatically for document signing. Curated quarterly.

The pipeline

Three phases. Each runs only if the previous one missed.

Hash match

SHA-256 the bytes you upload against every PDF we’ve ever issued. Hit → we tell you who signed, when, with which certificate.

Letssign.now cert check

On a miss, we scan the embedded CMS for our cert serial. If our seal is on the file but the bytes changed, we surface tampered with the certificate detail for support.

Real PAdES validation

Otherwise: full cryptographic chain validation against eIDAS LOTL + Swiss ZertES + AATL + Mozilla NSS, anchored at the signing time. Detects QES, AdES, untrusted, and unsigned with per-signature attribution.

Verdicts

A specific answer. Not a vague “valid / invalid”.

Verified — legally binding

eIDAS QES

Cryptographically valid + the signer’s certificate chains to an EU-listed Qualified Trust Service Provider and was signed on a Qualified Signature Creation Device. Highest legal tier — equivalent to a handwritten signature across every EU member state.

Trusted CA, not formally qualified

Advanced (AdES)

Certificate chains to a trust list we recognise (DocuSign, AdobeSign, US commercial CAs via NSS) but isn’t formally qualified under eIDAS. Strong evidentiary value — uniquely identifies the signer, tamper-evident.

Signed, but unverified

Untrusted signer

Cryptography is intact but the certificate doesn’t chain to any trust list we cover. Could be self-signed, an internal CA, or a regional CA we don’t yet support. Signer name + issuer still surfaced.

Sealed, then modified

Tampered

A real certificate is embedded but the document hash doesn’t match what it claims. The signature is no longer cryptographically valid. Do not treat as binding.

No signature found

Unsigned

The PDF carries no embedded electronic signature. Anyone could have produced this file. Not an error — just an honest verdict for a plain document.

When INDETERMINATE

Second opinion from EU DSS

For cases our local pipeline can’t conclusively classify, we optionally consult the EU Commission’s eIDValidator (DSS-as-a-service). Surfaces an ETSI-signed validation report for compliance buyers.

What we deliberately don’t do.

·No live OCSP / CRL fetches at verification time. We rely on validation data embedded in the signature (B-LT/B-LTA). Live lookups would add 1-5 seconds and depend on the CA staying reachable — both bad for a real-time check.
·No “trust any CA you trust” mode. Trust scope is exactly what’s in eIDAS LOTL + Swiss ZertES + AATL + Mozilla NSS. Adding more requires a code change — drift in the trust scope leaks legal weight.
·No revealing analytics on uploaded documents. Verification logs record only the SHA prefix (first 12 chars), file size in KB, verdict reason, and latency. No emails, no full hashes, no document bytes.

One signed document. One drop. One verdict.

No account. No upload tracking. Drop a file, get the legal tier, the signer, the issuer, the timestamp, and the PAdES profile in seconds.

Verify a document Read the technical docs