Skip to content
AttachKit

Developer docs

Verify-anywhere embed

Two lines of HTML let your visitors verify any AttachKit-signed PDF on your site, entirely in their browser. No upload, no API key, no per-verify cost.

Quick start

Drop both tags anywhere on your page. The custom element self-registers when the script loads.

<script src="https://attachkit.com/verify-embed.js" integrity="sha384-..." crossorigin="anonymous" async></script>
<attachkit-verify data-pdf-url="https://example.com/your-signed.pdf"></attachkit-verify>

The integrity hash is generated at deploy time and embedded into the snippet generator on /verify — copy from there for the production-ready snippet with the live SRI hash.

Live demo

The element below is loaded exactly the way third-party sites will load it. It verifies AttachKit's own test fixture from the public bucket — drop a different file on it to test yours.

Auto-fetch mode

Loading verify-embed.js…

Dropzone mode

Loading verify-embed.js…

Attributes

AttributeValuesDescription
data-pdf-urlURLWhen set, the element fetches the PDF and verifies on mount. Mutually exclusive with data-mode="dropzone".
data-modedropzoneRender a drop zone. Visitors drop a PDF and see the verification card.
data-themelight | darkOptional. Defaults to light. Affects card colors.
data-dropzone-labelstringReplace the drop-zone prompt with custom text.

Events

Listen for verification results to trigger your own analytics or UI changes.

document.querySelector("attachkit-verify")
  .addEventListener("attachkit:verified", (e) => {
    const report = e.detail;
    console.log("overall:", report.overall);
    console.log("webauthn:", report.webauthn.state);
    // see https://attachkit.com/docs/verify-report for the full shape
  });

document.querySelector("attachkit-verify")
  .addEventListener("attachkit:error", (e) => {
    console.warn("Verification failed:", e.detail.reason);
  });

Privacy

  • ✓ Verification runs entirely in the visitor's browser via WebCrypto and the bundled verifier.
  • ✓ No call to attachkit.com during verify. We never see the PDF, the URL it came from, or the visitor.
  • ✓ The bundle is a single static asset (no runtime fetch beyond loading the script itself).
  • ✓ Works on offline pages once the script is cached.
  • ⚠ Requires HTTPS — WebCrypto needs a secure context. On http:// the element renders a clear error message instead of silently failing.

CSP, CORS & redirects

  • CSP: if your site uses a strict Content-Security-Policy, add script-src https://attachkit.com. The bundle uses inline event listeners on its custom element so noscript-src 'unsafe-inline' is needed.
  • CORS: when verifying a PDF on a different origin via data-pdf-url, that origin must serve Access-Control-Allow-Origin: * (or your specific embedder origin). Browsers block cross-origin reads otherwise.
  • Redirects: the embed fetches with redirect: "error"so a 302 doesn't silently route your visitor to a different origin. That means signed-URL setups (S3 with a 302 redirect to the time-limited URL, Cloudfront origin-failover, etc) won't work — embed the final URL directly, or have your server return 200 with the bytes. If you need the redirect-follow behavior, drop-mode (data-mode="dropzone") still works — visitors drop the file directly.
  • Referrer: the embed sets referrerPolicy: "no-referrer"on the PDF fetch so your visitors' pages aren't leaked to the third-party PDF host.
Try the standalone verifier