Digital Signatures
Digital signatures allow recipients to verify that data is authentic — that it was created by a specific author and has not been tampered with since it was signed. Raytio uses two separate digital signing systems, each serving a different purpose.
What is a digital signature?
A digital signature works like a wax seal on a letter. The author uses their private signing key to produce a signature over the data. Anyone with the author's public key can verify the signature, confirming two things:
- Authenticity — the data was signed by the holder of that private key
- Integrity — the data has not been modified since it was signed
Unlike encryption (which protects confidentiality), digital signatures protect against forgery and tampering. Signed data is not secret — it is provably genuine.
Server-side signing (platform verification)
Raytio uses RSA-PSS digital signatures with SHA-512 hashing and 4096-bit keys to sign data on the server side. The signing keys are managed by AWS Key Management Service (KMS), which stores them in hardware security modules that prevent the private key from ever being exported.
What gets signed
Server-side signatures are applied to data that Raytio itself vouches for:
- Verification bundles — when Raytio verifies a document (such as a passport or driver licence), the verification result is signed so that recipients can independently confirm it came from Raytio and has not been altered
- Webhook payloads — data sent to external systems via webhooks is signed so the receiving system can verify it originated from Raytio
How verification works
When a recipient receives signed data, their client:
- Fetches Raytio's public signing key (hosted publicly)
- Uses the public key to verify the signature against the data
- Confirms the data is authentic and unmodified
The data is serialised using canonical JSON — a deterministic format that ensures the same data always produces the same byte sequence, regardless of property ordering or whitespace. This is necessary because even a single byte difference would cause the signature check to fail.
Client-side signing (user PGP keys)
When a user creates a Raytio account, a PGP signing key pair is generated on their device in addition to their encryption keys. This is a separate RSA 4096-bit key pair used exclusively for digital signatures.
How the signing key is protected
The PGP signing key follows a similar protection model to the encryption keys:
- The private signing key is encrypted with AES-256-GCM using the user's Key Encryption Key (KEK), derived from their password and Local Secret
- The encrypted private key is stored locally on the device (in the browser's IndexedDB)
- The public signing key is stored on the server in PEM format, along with a key fingerprint (a SHA-256 hash of the public key) that uniquely identifies the key
What this enables
With a device-bound signing key, users can digitally sign their own data. This creates a cryptographic proof that a specific user authored or approved a piece of data, independent of Raytio's servers. Because the private signing key never leaves the user's device, no one — including Raytio — can forge a signature on the user's behalf.
User-side digital signing is currently supported — data can be signed with a user's PGP key. The corresponding feature to verify these user signatures within the platform is coming soon.
How the two systems complement each other
| Server-side signing | Client-side signing | |
|---|---|---|
| Who signs | Raytio (the platform) | The individual user |
| What it proves | "Raytio produced and vouches for this data" | "This specific user authored or approved this data" |
| Key management | AWS KMS (hardware security module) | Device-bound, encrypted with user's KEK |
| Algorithm | RSA-PSS, SHA-512, 4096-bit | RSA-PSS, SHA-256, 4096-bit |
| Use cases | Verification results, webhook payloads | User-authored data, approvals |
Together, these two systems provide a complete chain of trust: Raytio can prove the authenticity of platform-generated data (such as verification results), and users can prove the authenticity of their own data (such as submitted information or approvals).