REMOTE QUALIFIED E-SEAL

Remote Qualified E-Sealing. API-first. Privacy by design.

Apply eIDAS Qualified electronic seals to millions of documents - without a single one ever leaving your infrastructure. The most complete remote e-sealing solution on the market.

Try the Live Demoarrow_forward Read the Documentation Open Developer Portaldeveloper_mode

Your Infrastructure

descriptioninvoice-2026-q1.pdf2.4 MB

arrow_downwardSHA-256

a7f3b9c1d4e8f2a6b0c5d7e9f1a3b5c8d2e4f6a8b0c3d5e7f9a1b4c6d8e0f2a4

32 bytes - that's all that leaves

arrow_downward

HTTPS

E-Seal API

check_circleOAuth 2.0 authenticated

check_circleSCAL2 PIN authorized

check_circleRSA 2048 signed

verified_user

eIDAS Qualified

PAdES B-T with RFC 3161 timestamp

lock

32 bytes

Only a hash crosses the network

THE BASICS

Electronic seals - the digital equivalent of a company stamp.

verified_user

Qualified Level

Highest legal assurance under eIDAS. Non-repudiable proof of origin and integrity.

lock

Hash-Only Privacy

Your documents never leave your infrastructure. We only receive a 32-byte hash - we cannot see, read, or store your content.

speed

API-First

One API call to seal. Full CSC v2 compliance. TypeScript SDK included. Seal thousands of documents per minute.

schedule

Timestamp Included

Every seal includes an RFC 3161 qualified timestamp - cryptographic proof of exactly when the document was sealed. PAdES B-T from day one.

info

Qualified is the highest of three eIDAS levels (basic → advanced → qualified). It requires certified hardware (HSM), a Qualified Trust Service Provider, and conformity assessment by an EU-accredited body. This is what separates a qualified e-seal from a simple digital signature.

info

The hash-only model is a property of the CSC v2 protocol, not a policy choice. The API only accepts hashes — there is no endpoint that accepts documents. Privacy is architecturally enforced, not contractually promised.

LEGAL ASSURANCE

The highest legal standard for electronic seals in Europe.

Qualified is the highest level under eIDAS - full legal equivalence to a handwritten signature across all 27 EU member states. Documents sealed at this level are presumed authentic and unaltered by law. Organizations that seal at qualified level now get full future-proofing - any jurisdiction, any court, any scenario.

gavel

Legal equivalence

Qualified e-seals enjoy automatic legal recognition across the entire EU. No bilateral agreements. No per-country validation. One seal, 27 member states.

shield

Certified infrastructure

Requires a Qualified Signature Creation Device (QSCD), certified Trust Service Provider status, and conformity assessment. This is hard - by design.

workspace_premium

Highest confidence

When your bank statement, invoice, or regulatory filing carries a qualified e-seal, recipients know it's authentic. Not because they trust you - because EU law says so.

CUSTOMER SEGMENTS

Built for organizations that seal at scale.

account_balance

Banks & Financial Institutions

Direct API Clients

Seal statements, agreements, and regulatory filings. Direct CSC v2 API integration for maximum throughput.

integration_instructions

Document & ERP Platforms

Platforms & SaaS

Embed e-sealing into your product. White-label ready. client.seal(pdf) and done.

hub

E-Signature Brokers

Trust Service Providers

Add qualified e-sealing to your portfolio. Multi-tenant, per-customer credentials. CSC v2 compatible.

info

Current e-seal customers in this segment process hundreds of thousands of seals per month. The move from physical crypto sticks to remote API-based sealing eliminates courier logistics, RA officer overhead, and manual key ceremonies.

info

In the broker model, the seal certificate belongs to the end-entity (the small company), not the broker. The broker facilitates access but the identity chain to the legal entity must be preserved — architecturally supported through per-tenant credentials.

TECHNICAL FLOW

The hash-only model - privacy by architecture.

Your Infrastructure

1.Load document

2.Compute SHA-256 hash (32 bytes)

7.Build CMS SignedData

8.Add RFC 3161 timestamp

9.Embed in document

10.Output: Qualified sealed PDF

E-Seal API

arrow_forwardAuthenticate (OAuth 2.0)

info

OAuth 2.0 Client Credentials flow. Credentials are issued through the Developer Portal after QTSP onboarding. The authorized representative delegates API access to the technical team.

arrow_forwardAuthorize credential (SCAL2)

info

This step is what makes it "qualified." The PIN ensures the legal entity retains sole control of the signing key, even though the key is hosted remotely in the QTSP's HSM. Required by EN 419 241-1.

arrow_forwardSign the hash (RSA 2048)

info

The private key never leaves the HSM. The hash enters, the signature comes out. The API cannot export, copy, or extract the key — enforced by QSCD hardware certification.

arrow_backReturn raw signature

The document never crosses the boundary.Only a 32-byte SHA-256 hash is transmitted. Your infrastructure computes the hash locally, sends it to the API, receives back a cryptographic signature, and assembles the final sealed document. We never see the content. This is not a policy choice - it's how the CSC v2 protocol works by design.

info

Steps 1-2 and 7-10 execute on your infrastructure — the API never sees the document. The Client SDK handles PDF preparation, hash computation, CMS assembly, timestamping, and injection. Without it, your team would need to implement PAdES B-T compliant CMS construction from scratch. Whether the production service includes an official SDK is a product decision — this prototype includes a fully working one.

INTERACTIVE DEMO

Seal a PDF right now. Watch every step.

Upload any PDF document. Watch the 8-step sealing process execute in real-time - authentication, credential authorization, hash signing, CMS assembly, timestamping. Download your sealed PDF when it's done.

upload_file

Drop a PDF here

or click to browse (max 10MB)

This demo uses a self-signed test certificate. In production, documents are sealed with a qualified certificate issued by a Qualified Trust Service Provider - validated by Adobe Acrobat and DigiDoc4.

Want to see the full API flow with your own credentials? Open the Developer Portal.

FOR DEVELOPERS

From zero to sealed PDF in 5 minutes.

Get these values from the Developer Portal— generate credentials, pick a seal certificate, and you're ready to integrate.

import { SealClient } from '@sk-eseal/client-sdk';

const client = new SealClient({
  baseUrl: 'https://eseal.example.com',
  clientId: 'your-tenant-id',
  clientSecret: 'your-secret',
  pin: 'your-pin',
  credentialId: 'your-credential-id',
});

const result = await client.seal(pdfBytes);
// result.sealedPdf → Uint8Array (sealed PDF with PAdES B-T signature)

developer_mode

Developer Portal

Get API credentials, manage seal certificates, test the full CSC v2 integration flow step by step.

code

TypeScript SDK

8 modules, 23 tests. npm install @sk-eseal/client-sdk. Handles PDF preparation, hash computation, CMS assembly, timestamping - everything except the signing itself.

description

OpenAPI 3.1 Spec

Full machine-readable API definition. Import into Postman, generate clients in any language. Interactive Swagger UI included.

terminal

CLI Demo

npx tsx seal-demo.ts invoice.pdf → sealed PDF in seconds. Inspect every step of the flow.

PRICING

Transparent pricing for every scale.

Coming Soon

Starter

For evaluation and development

—

Lorem ipsum dolor sit amet

Consectetur adipiscing elit

Sed do eiusmod tempor

Coming Soon

Business

For production workloads

—

Lorem ipsum dolor sit amet

Consectetur adipiscing elit

Sed do eiusmod tempor

Incididunt ut labore et dolore

Coming Soon

Enterprise

For high-volume and custom needs

—

Lorem ipsum dolor sit amet

Consectetur adipiscing elit

Sed do eiusmod tempor

Incididunt ut labore et dolore

Magna aliqua ut enim

COMPLIANCE

Built on open standards. Validated by regulation.

CSC v2.0.0.2

Cloud Signature Consortium API standard (all 6 endpoints)

eIDAS

EU Regulation 910/2014 on electronic identification and trust services

PAdES B-T

ETSI EN 319 142 (PDF Advanced Electronic Signatures with timestamp)

RFC 5652

Cryptographic Message Syntax (CMS/PKCS#7)

RFC 3161

Time-Stamp Protocol

RFC 6749

OAuth 2.0 Authorization Framework

SCAL2

Sole Control Assurance Level 2 (qualified authorization)

Every signature produced by this service is a PAdES Baseline-T signature - containing a qualified timestamp proving when the seal was applied. The CMS structure validates in Adobe Acrobat, DigiDoc4, and the EU DSS validation library.

The SCAL2 authorization model means each sealing operation requires explicit credential authorization - not just an access token. This is the level required for qualified electronic seals under eIDAS.

The hash-only architecture ensures full GDPR compliance - your document content never enters our infrastructure.

DOCUMENTATION & RESOURCES

Everything built. Everything accessible.

Every deliverable from this prototype is documented, tested, and accessible. All source code and documentation lives on GitHub.

code

keeltekool/sk-e-seal-prototype

Full source code, documentation, SDK, scripts - MIT licensed

arrow_forward

developer_mode

Developer Portal

Get credentials, manage seal certificates, test the API flow

arrow_forward

api

Swagger UI

Interactive API explorer - test every endpoint in the browser

arrow_forward

description

OpenAPI 3.1 Specification

Machine-readable API definition - import into Postman

open_in_new

package_2

Client SDK

Standalone TypeScript SDK - 8 modules, 23 tests, npm-ready

open_in_new

menu_book

CSC v2 Specification

The 100-page standard this prototype implements

open_in_new

Ready to add qualified e-sealing to your platform?

Whether you're a bank sealing millions of statements, a platform embedding trust services, or a broker expanding your portfolio - we built this for you.

Open Developer Portal