checksum.dev signs every record with Ed25519, aggregates them into verifiable Merkle trees, and generates compliance reports with cryptographic gap detection.
Designed for compliance under
The problem
Any engineer with database access can modify a log entry. Regulators require independent tamper evidence — not self-attestation.
Database records can be updated or deleted by anyone with write access. There is no cryptographic trail of changes.
Missing records go undetected without structured sequencing. Auditors can't verify completeness from a CSV export.
Exporting your own logs as proof is like grading your own exam. Auditors need independent verification.
How it works
POST your chain_id,
sequence_number, and
checksum to the API. One call, any language.
We return an Ed25519 signature timestamped and bound to your specific record. This is your cryptographic receipt.
Pull a PDF covering any time range — gap detection, frequency analysis, Merkle proofs, and pass/fail determination included.
curl -X POST https://checksum.dev/api/v1/anchors \
-H "Authorization: Bearer sk_live_..." \
-H "Content-Type: application/json" \
-d '\{
"chain_id": "payment-events",
"sequence_number": 42,
"checksum": "sha256:9f86d081..."
\}'\{
"id": "anc_01J5K7M...",
"chain_id": "payment-events",
"sequence_number": 42,
"checksum": "sha256:9f86d081...",
"signature": "ed25519:Rk3fQ2x...",
"anchored_at": "2026-03-03T12:00:00.000000Z"
\}Capabilities
Cryptographic integrity, compliance reports, and independent verification — out of the box.
Industry-standard public-key signatures on every anchor. Verifiable by anyone with your public key.
All anchors aggregated into a published Merkle tree. Tamper-evident by design — one changed record invalidates the tree.
Automatic identification of missing sequence numbers. Know instantly if records are absent, not just tampered.
Auditor-ready exports covering any date range. Frequency analysis, Merkle proofs, and chain integrity summaries included.
Independent third-party verification without API credentials. Give your auditor a URL, not a CSV export.
Public/private key auth, RESTful endpoints, and an OpenAPI spec. Integrates in an afternoon.
Who it's for
Developers integrate. Compliance teams report. Auditors verify.
FAQ
Database-stored logs are mutable — anyone with write access can alter or delete records undetected. checksum.dev issues a cryptographic signature at submission time, so any modification produces a verifiable mismatch.
Yes. The public auditor portal allows independent verification of any anchor using only its identifier and the published Merkle tree. No account or credentials required.
No. You submit a checksum of your data, not the data itself. Your sensitive records never leave your infrastructure. The cryptographic proof is independent of the underlying content.
checksum.dev is designed to satisfy audit trail integrity requirements under HIPAA (45 CFR 164.312), SOC 2 CC7.2, PCI-DSS Requirement 10, and GDPR Article 5(2).
Gap detection is automatic. Missing sequence numbers are flagged in compliance reports so you can investigate whether a gap is expected (for example, a voided record) or indicates a potential system issue.
Each checkpoint is signed over a canonical payload. The signature can only be produced with our private key. Anyone with the public key can verify — if even one byte changed, verification fails.
Free tier available. No infrastructure required. Your first anchor is signed before your second cup of coffee.