Developer Docs
Developer Overview
Start at the main docs hub.
Verification Lifecycle
Artifact submission, receipts, and later comparison.
API Overview
Public request and response model.
Security Model
Claims boundary and public-safe controls.
Architecture
Workflow fit and trust-boundary framing.
Threat Model
Threat assumptions and review posture.
Evidence IntegrityInfrastructurefor existing compliance workflows
TrustSignal issues signed verification receipts so organizations can prove when evidence was created, where it came from, and whether it has changed. It adds an integrity layer to existing workflows without replacing the system of record.
Fits alongside compliance and audit operations already in place.
Issues signed receipts with provenance metadata at verification time.
Supports downstream checks to confirm whether records still match.
Evidence can drift after collection.
Verification gets harder later.
Compliance and audit teams rely on artifacts that pass through multiple systems. Without a durable integrity reference, provenance can become difficult to validate during later review.
Evidence drifts over time
Files, exports, and screenshots can change after initial collection as they move between teams and systems.
Provenance gets harder to confirm
Weeks or months later, reviewers often cannot easily prove where an artifact came from or when it was captured.
Audit readiness weakens
Teams need a reliable way to verify what was collected, when it was collected, and from which source system.
Verification receipts through the artifact lifecycle
Submit an artifact or artifact reference, receive a verification result with a signed receipt, store it with the artifact, and run later integrity checks when needed.
Collection
Source System
Review workflow
Compliance Platform
Integrity layer
TrustSignal
Integrity control pointOutput
Signed Output
Fits existing systems of record.
Adds integrity at evidence handoff points.
TrustSignal is an integrity layer for compliance workflows and audit evidence pipelines. It integrates at clear API boundaries while your existing collection and review systems remain in place.
Collect evidence where you already do
Keep your existing platform, collector, or internal workflow as the source of truth for the artifact.
Send verification requests at the workflow boundary
Submit source metadata, artifact hash, control context, and timestamps through a low-friction API boundary integration.
Store receipts in your system of record
Keep signed receipts and verification signals beside the original evidence for later review, audits, and partner checks.
POST /api/attest-evidence
Content-Type: application/json
{
"source": "vanta",
"artifact_hash": "sha256:93f6f35a550cbe1c3f0b5f0c12b9f0d62f3f9c6f8c6a4eddd8fa1fbfd4654af1",
"control_id": "CC6.1",
"timestamp": "2026-03-11T21:00:00Z",
"metadata": {
"artifact_type": "compliance_evidence",
"collector": "aws-config-snapshot"
}
}
HTTP/1.1 201 Created
{
"receipt_id": "tsig_rcpt_01JTQY8N1Q0M4F4F5T4J4B8Y9R",
"status": "signed",
"source": "vanta",
"control_id": "CC6.1",
"attested_at": "2026-03-11T21:00:01Z",
"signature": "tsig_sig_01JTQY8QK6X4YF7M6T2P9A5D3H",
"provenance": {
"artifact_type": "compliance_evidence",
"collector": "aws-config-snapshot"
}
}The same fields can be emitted from a webhook if your evidence platform already has an event-driven collection flow.
Production note: plan for authentication, environment configuration, receipt lifecycle checks, and verification status monitoring in your deployment workflow.
For Developers
TrustSignal exposes a straightforward API surface for verification, receipt retrieval, status checks, and lifecycle actions. This section is the transition point from buyer-facing messaging to technical materials and the configured access path.
Signed Receipts
Signed receipts record the artifact hash, source, and timestamp captured at ingestion.
Verification Lifecycle
Later checks confirm whether the current artifact still matches the receipted record.
Verifiable Provenance
Receipt metadata preserves source, control, and timestamp context for review workflows.
Low-Friction Integration
TrustSignal fits behind an existing workflow through a clear verification boundary.
Documentation and Repository
Technical documentation and GitHub materials support partner, security, and integration review.
Technical Review Path
Documentation and repository materials are available for teams that need a deeper review of integration patterns, lifecycle behavior, and public API expectations.
1// Receipt model2const auditReadyReceipt = {3 receipt_id: "tsig_rcpt_01JTQY8N1Q0M4F4F5T4J4B8Y9R",4 source: "vanta",5 artifact_hash: "sha256:93f6f35a550cbe1c3f0b5f0c12b9f0d62f3f9c6f8c6a4eddd8fa1fbfd4654af1",6 control_id: "CC6.1",7 timestamp: "2026-03-11T21:00:00Z",8 receipt_status: "signed",9 verification_status: "match",10 provenance: {11 artifact_type: "compliance_evidence",12 collector: "aws-config-snapshot"13 }14}1516// TrustSignal sits behind the system that collected17// the record. The source platform remains in place18// while the receipt carries integrity and provenance.
Additional implementation context
Use the linked documentation and repository to review endpoint behavior, lifecycle expectations, and integration patterns in more depth.
Claims Boundary
TrustSignal provides signed verification receipts, verification signals, and verifiable provenance metadata so teams can run later integrity checks in existing workflows.
TrustSignal provides
- Signed verification receipts
- Verification signals
- Verifiable provenance metadata
TrustSignal does not provide
- Legal determinations
- Compliance certification
- Fraud adjudication
- Replacement for the system of record
Built for compliance evidence workflows.
TrustSignal evidence integrity infrastructure sits behind the system that collected the artifact, fits alongside platforms like Vanta and Drata, and returns signed verification receipts that can be verified later during audit or partner review.
Source systems
Company systems and evidence sources
Cloud config snapshots, ticket exports, documents, registries, and internal apps continue to produce the artifacts your team already reviews.
Existing workflow
Compliance platform or internal GRC flow
Platforms like Vanta and Drata can keep collecting, organizing, and routing evidence inside the process your team already uses.
Integrity layer
TrustSignal attests at ingestion
TrustSignal adds a signed receipt at the handoff point so integrity and provenance travel with the artifact from the start.
Audit output
Signed receipt and verifiable audit evidence
Reviewers get a tamper-evident reference they can verify later without replacing the system that collected the original record.
Visible safeguards without workflow sprawl.
TrustSignal is designed to be straightforward to evaluate. The core trust signals show up in the signed receipt, the audit trail, and the provenance fields reviewers can inspect later.
Signed receipts
Each attestation returns a signed verification receipt that can be stored beside the original artifact.
Tamper-evident audit trail
Later verification shows whether the current artifact still matches the receipted record.
TLS in transit
Receipt requests travel over standard encrypted transport instead of introducing a custom workflow channel.
Minimal workflow change
TrustSignal integrates at ingestion through a low-friction API boundary or webhook without replacing the evidence platform.
Verifiable provenance
Source, control, and timestamp metadata remain attached to the receipt for audit-ready review.
Audit-ready verification.
Clear signal when a record drifts.
TrustSignal issues a signed receipt at ingestion and can later compare the current artifact against the receipted digest. That gives reviewers a fast, audit-ready signal when a record no longer matches the original intake.
Ready to prove
compliance integrity?
Start with a lightweight pilot, or route developers directly into the configured authenticated TrustSignal surface when it is deployed. Otherwise keep onboarding manual and pilot-gated.
Pilot onboarding is primary. Self-serve developer access depends on deployment configuration.
Start a lightweight pilot or align on integration.
Share the basics and TrustSignal will follow up with next steps for a pilot or integration discussion. Operational access and private verification workflows remain restricted to TrustSignal review.
Responses are reviewed directly by the TrustSignal team.
Submissions are stored privately for TrustSignal review and follow-up.
No payment or system access is requested through this form.