Verify a compliance report
Every report Veracly issues is cryptographically signed (Ed25519) and anchored in a public audit ledger. Anyone holding a report can confirm who issued it, when, and that it has not been altered since signing — without a Veracly account, and without trusting Veracly.
Enter the verification ID
On the final page of the PDF, look for Verification ID. It looks like123e4567-e89b-12d3-a456-426614174000.
Why this is independent
Verification runs entirely in your browser against a public key — no Veracly server sits on the trust path, and no login is required. Veracly audits compliance but does not sell the fixes, so the attestation has no conflict of interest: a tool that also sold you the remediation could not certify it credibly. That is the point of an independent signature.
How verification works
- Enter the Verification ID printed on the final page of the PDF, above. We look up the anchor in our public ledger.
- We return the canonical signed record: scan ID, issued-at timestamp, the SHA-256 of the PDF, the signing key fingerprint, and the Ed25519 signature.
- Your browser verifies the signature against the public key published at /.well-known/veracly-signing-key.json. Verification runs entirely in your browser — no Veracly server is on the trust path.
- (Optional) Paste the SHA-256 of the PDF in your hands. We’ll compare it against the recorded hash to confirm the file you have is the one we issued.
Retention: paid reports are retained for long-horizon verification; free-scan anchors are retired on a published schedule. The rules in force are documented at /.well-known/veracly-retention.json.