TaaS — Trust as a Service

How it works

From event to certificate in under 200ms

SHA-256 hash · RFC 3161 timestamp · RSA-PSS signature. No infrastructure to manage. Just an API key.

01

Authenticate with your API key

Every TaaS request is authenticated with an API key tied to your account. Keys are hashed — never stored in plaintext. Rotate them anytime from your dashboard.

curl -X POST https://api.trytaas.com/v1/certify \
  -H "X-API-Key: taas_live_xxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{ ... }'
02

Send your event payload

POST any JSON payload to /v1/certify. You define the structure — TaaS certifies it. Include a "type" field to categorize the event (payment_confirmed, app_install, delivery_complete, etc.).

{
  "type":    "payment_confirmed",
  "payload": {
    "amount":   499.00,
    "currency": "USD",
    "buyer_id": "usr_abc123",
    "order_id": "ord_xyz789"
  },
  "metadata": {
    "app_id":    "com.acme.marketplace",
    "platform":  "android",
    "client_ip": "203.0.113.1"
  }
}
03

TaaS hashes, timestamps, and signs

Internally: the payload is canonicalized, SHA-256 hashed, anchored with an RFC 3161 timestamp from a trusted TSA, and signed with RSA-PSS-SHA256. This happens in <200ms.

# Internal process (transparent to you)
canonical  = sort_keys(payload)
hash       = SHA256(canonical)
timestamp  = RFC3161.tsa.stamp(hash)       # RFC 3161 compliant
signature  = RSA_PSS.sign(hash + timestamp, private_key)
cert_id    = UUID4()
04

Certificate returned

You receive a signed certificate object. Download the PDF for legal records or use the JSON for programmatic verification. Both are self-contained.

{
  "cert_id":   "cert_5f3a8c2d-e91b-4f7a-a23c-1b2d3e4f5a6b",
  "hash":      "a3f4b2c1e9d7f8a0b5c6d2e1f4a3b7c8...",
  "algorithm": "SHA-256",
  "timestamp": "2026-06-01T14:30:01.234567Z",
  "tsa":       "RFC3161-compliant",
  "signature": { "algorithm": "RSA-PSS-SHA256", "key_id": "taas_key_2026" },
  "valid":     true,
  "pdf_url":   "https://certs.trytaas.com/cert_5f3a..."
}
05

Verify anytime — no credentials needed

The verification endpoint is public. Judges, auditors, and your users can verify a certificate by its ID — without an API key, without a TaaS account.

GET /v1/verify/cert_5f3a8c2d-e91b-4f7a-a23c-1b2d3e4f5a6b

# Response:
{
  "cert_id":   "cert_5f3a...",
  "valid":     true,
  "issued_at": "2026-06-01T14:30:01Z",
  "hash":      "a3f4b2c1...",
  "tampered":  false
}

Cryptographic standards used

SHA-256

Hash algorithm — NIST-approved, collision-resistant

RFC 3161

Trusted timestamp — internationally recognized standard

RSA-PSS

Digital signature — PKCS#1 v2.1 probabilistic signing

X.509

Certificate format — compatible with standard PKI tooling

Get your API key → API reference