Tendaworld
Get StartedContact Sales
Hardware-Key Signatures

Every signature,
bound to a key only you hold.

SecurySign turns your passkey or security key into a legally-binding digital signature. Each one is sealed with its own certificate and embedded into the document itself — tamper-evident, instantly verifiable, and impossible to forge.

Start signingSee how it works
X.509 PKI
Passkey & YubiKey
PAdES / AdES

What is SecurySign?

A handwritten signature can be traced. A typed one can be copied. A SecurySign signature can be neither.

SecurySign is a digital signing service that uses the same hardware-key technology that secures your bank and your email — and applies it to the documents that matter. No passwords to steal, no images to forge. Just cryptographic proof that holds up.

Bound to your hardware

Instead of a drawn squiggle or a typed name, your signature is created by a physical key — a passkey on your phone or a YubiKey in your hand. It can't be copied, because the secret never leaves the device.

Tied to your identity

Every key is issued its own X.509 certificate with your verified email written inside. So a SecurySign signature doesn't just prove a document was signed — it proves who signed it.

Sealed into the document

The signature is embedded directly into the PDF (a standard called PAdES). Change a single character afterwards and the seal breaks — anyone can tell at a glance that it was tampered with.

Getting your key

From zero to signing-ready in about a minute

A “key” is the hardware that proves it’s really you — plus the certificate that gives it a name. Here’s how you set one up.

1

Choose your authenticator

Use the passkey already built into your phone or laptop — Face ID, Touch ID, Windows Hello, or an Android fingerprint. Prefer the highest assurance? Plug in a YubiKey. Either way, there's nothing to download or install.

No purchase required to start
2

Verify your email

Sign in once so SecurySign can confirm who you are. That verified email is written into your certificate — it's what ties every future signature back to you, not just to a device.

OAuth2-verified identity
3

Receive your certificate

SecurySign generates a certificate signing request and issues your personal X.509 certificate, cryptographically bound to your key. Issuance is automatic — no paperwork, no waiting for approval. You're ready to sign immediately.

Full certificate chain for audit

Your private key never leaves your device — SecurySign never sees it.

How it works

Signed in five simple steps

All the cryptography happens quietly in the background. Here's what it looks like for you.

YubiKey 5 · Passkey
AAGUID · ee882879…
X.509 Certificate Issued
Subject: CN=adrian@tenda.world
Algo: ES256 (ECDSA P-256)
Chain: SecurySign Root → You

Why it's different

Bank-grade cryptography, made effortless

Phishing-proof by design

Signatures are created by FIDO2 passkeys and YubiKeys. There's no password to phish and no private key to leak — the secret never leaves the hardware.

Hardware-bound PAdES PDFs

Signatures are embedded into the PDF as a standards-compliant PAdES container, signed with ES256 — readable by any compliant viewer.

Tamper-evident & verifiable

Every signature carries a SHA-256 hash of the document. Alter the file and verification fails instantly — with a full X.509 chain for audit.

Encrypted in your browser

Sensitive documents can be encrypted client-side with PRF-hardware, AES, or RSA-OAEP schemes before they're ever stored. Keys stay with you.

An Advanced Electronic Signature

Each signature is an AdES, cryptographically linked to a verified identity — the legally significant tier recognised across modern e-signature law.

Works with the keys you already have

Passkeys from Apple iCloud Keychain, Google Password Manager, Windows Hello, or a dedicated YubiKey — SecurySign meets your users on the device in their hand.

Under the hood

Real cryptography, not a checkbox

Every signature is backed by standards-based public-key infrastructure — the same primitives that secure the open web, applied to the documents you sign.

PKI

PKI Architecture

Every authenticator gets an X.509 certificate. Full certificate chain for audit.

$ Root → Intermediate → Leaf
Enrollment

CSR-Signed Enrollment

The authenticator cryptographically signs a CSR that becomes its certificate.

$ authenticator.sign(CSR) → X.509
Identity

Identity-Bound Keys

OAuth2-verified email is embedded in the certificate subject.

$ Subject: CN=you@org.com
Attestation

Hardware-Attested

AAGUID parsing distinguishes YubiKeys from software passkeys.

$ AAGUID ee882879 · YubiKey 5

For developers

Add trusted signing to your product

SecurySign is built to be embedded. Register as a relying party and bring hardware-key signatures into your own application or service.

Embed with an iframe

Drop a SecurySign frame into your checkout or onboarding flow. Users register a passkey and sign — without ever leaving your site.

Full API & headless signing

Issue certificates on behalf of users, sign programmatically, and manage relying parties with full API access.

Webhooks & sub-accounts

Get notified the moment a document is signed, spin up sub-RPs, and set per-client rate limits.

Register as a relying party
embed.html
<script src="https://signa.dev/sdk.js"></script>

<!-- Drop signing into your flow -->
SecurySign.embed({
  rp: "your-app",
  document: pdfBytes,
  onSigned: (signedPdf) => {
    // X.509-backed PAdES PDF
    download(signedPdf)
  },
})

Questions, answered

New to hardware-key signing?

No. SecurySign works with the passkey already built into your phone or laptop — Face ID, Touch ID, Windows Hello, or an Android fingerprint. If you want the highest assurance, you can also use a dedicated security key like a YubiKey, but it's optional.

A passkey is a modern replacement for passwords, backed by a secret stored securely on your device that never leaves it. You unlock it with your fingerprint or face. It's the same phishing-resistant technology that banks and Google use — SecurySign applies it to signing documents.

Each signature is an Advanced Electronic Signature (AdES): it's uniquely linked to a verified identity, created with a key only you control, and tamper-evident. That places it in the legally significant tier recognised under modern e-signature frameworks — well above a typed name or pasted image.

When you sign, SecurySign records a cryptographic fingerprint (SHA-256) of the exact file and embeds the signature inside the PDF. If even one character changes, the fingerprint no longer matches and verification fails — so any tampering is obvious.

Hashing and encryption happen right inside your browser. Documents can be encrypted client-side before they're ever stored, and the keys to decrypt them stay bound to your hardware — not on a server.

Anyone can re-hash the document and check the signature against the X.509 certificate — confirming the file is unchanged, the signature is valid, and the certificate is trusted and not revoked. No SecurySign account needed to verify.

Sign your next document with a key, not a password.

Set up your hardware-key identity in under a minute, and sign documents that are tamper-evident, verifiable, and unmistakably yours.

Start signingTalk to our team