Publisher - Trusted PDF Sealing | Trusted Signatures

Q: Can recipients fill forms or add comments without breaking the seal?

Yes. DocMDP policies can allow form fill and annotations while still blocking unauthorized content edits.

Q: Will sealed PDFs validate in Adobe Acrobat/Reader and downstream systems (PAdES + LTV)?

Yes. Publisher supports ISO 32000 signatures with X.509 chain data and optional RFC 3161 + OCSP/CRL embedding for long-term validation.

Q: How can we preview what sealed vs. unsealed looks like before buying?

Use the free PDF Validator to compare trust and integrity signals before rollout.

Q: How is pricing structured for Publisher and Identity?

Publisher is a usage-based subscription. Publisher Identity (AATL or EU Advanced OrgID) is an annual add-on.

Q: Where are the signing keys kept?

Keys are non-exportable and held in FIPS 140-3 Level 3 HSMs; signing operations occur inside the module.

Keep Your Workflow, Add Visible Trust

Publisher adds tamper-evident trust to PDFs you already generate. Use API, CLI, Web sealing, Zapier, Cloud Connector, or Power Automate from your existing systems, keep documents in your environment, and let recipients verify trust directly in Acrobat/Reader.

When to use Publisher

Use it when invoices, agreements, reports, or filings leave your system and need clear origin and integrity checks without a portal workflow.

file uploads required

Seal in place. Your PDFs remain in your infrastructure.

integration paths

API, CLI, Web sealing, Zapier, Cloud Connector, and Power Automate cover product, ops, and workflow teams.

Up to 4

reader-visible trust signals

Integrity, signer, timestamp, and revocation context when configured and supported.

signing endpoint pattern

Adopt one digest-signing call across export and delivery workflows.

ISO 32000 signatures PAdES profile support RFC 3161 timestamps (optional) OCSP/CRL embedding (optional) FIPS 140-3 Level 3 HSM custody

Quick answer

Use Web sealing when you want to seal PDFs directly in the browser without uploading documents to Trusted Signatures. Test users can seal with a test certificate that does not produce an Acrobat blue seal. Publisher subscribers can seal with the Trusted Signatures certificate, and Publisher Identity subscribers can seal with their organization certificate so Acrobat shows their company as the sealer.

Start Technical Eval

Operational Proof

Evaluate in the stack you already run

Most teams start with one document flow and verify outcomes in Acrobat before broad rollout.

Product/API teams

Embed digest-signing in export pipelines.

Ops/CLI teams

Seal batches from CI/CD and scheduled jobs.

Browser teams

Seal locally in the browser without sending PDFs to our servers.

Workflow teams

Connect no-code flows with Zapier or Power Automate.

Cloud teams

Run Cloud Connector deployments in Azure, AWS, GCP, or Kubernetes.

Signer workflows

Add trust controls around Documenso outputs.

Open Documentation

How it works

Step 1: Connect

Integrate with API, CLI, Web sealing, Zapier, Cloud Connector, or Power Automate where your documents are already generated.

Step 2: Seal

Apply a standards-based PDF seal with optional LTV evidence and DocMDP policy controls.

Step 3: Verify

Recipients open in Acrobat/Reader and see trust outcomes based on reader trust-store configuration.

For implementation details, start with our API docs, CLI docs, Web sealing guide, Zapier docs, or the cloud connector product pages.

Paths by role

For Developers

Ship trust controls with minimal surface area. Use one digest-signing endpoint for export workflows, keep files local, and roll out via API, CLI, Web sealing, Zapier, Cloud Connector, or Power Automate.

Use API docs

For Security & Compliance

Make document integrity review exception-based. Verify origin/integrity in recipient readers and support audit narratives with standards-aligned evidence.

Security Overview

Book Demo

Outcomes for your team

Fewer document authenticity disputes and callback loops.
Faster approval decisions because trust status is visible on open.
Exception-based review for altered documents instead of manual spot checks.
Portable evidence aligned to widely used PDF and PKI standards.

Capabilities

Capability Summary

Seal in place, expose tamper evidence, support reader-native verification, and automate rollout with API, CLI, Web sealing, Zapier, Cloud Connector, Power Automate, and policy controls.

Seal in place (no uploads)

Trigger sealing from your app or export path; PDFs stay in your environment.

Tamper-evident sealing

Unauthorized edits are surfaced during reader validation checks.

Reader-visible trust indicators

Acrobat/Reader can show signer and certification details when trust paths are configured.

PAdES + LTV support

Embed RFC 3161 timestamp and OCSP/CRL evidence for long-term verifiability.

Reader-native validation

Works in Acrobat/Reader and other compatible PAdES viewers without plugins.

Built for automation

Use API, CLI, Web sealing, Zapier, Cloud Connector, or Power Automate in product workflows, CI/CD, scheduled batch jobs, or local browser flows.

DocMDP controls

Allow approved forms/comments while blocking unauthorized content edits.

FieldMDP controls

Lock specific fields, including signature fields, without breaking trust policy.

Integrations: API, CLI, Web sealing, Cloud Connector, and Workflow Automation

API Integration

Embed sealing in product workflows. Attach sealing to export/download flows with HMAC-authenticated requests.

Open API docs

CLI Automation

Run from CI/CD and operations. Seal batches and scheduled outputs without changing downstream readers.

Open CLI docs

Web sealing

Seal PDFs directly in the browser. Documents stay local, and subscribers can choose test, Trusted Signatures, or organization certificates based on plan.

Open Web sealing guide

Zapier Automation

Connect no-code workflow triggers. Seal files from app events and handoffs without custom integration code.

Open Zapier docs

Cloud Connector

Run Publisher through customer-managed cloud connectors in Azure, AWS, GCP, or Kubernetes when orchestration must stay in your cloud.

See Cloud Connector

Power Automate

Trigger trusted sealing from Power Automate workflows through your Cloud Connector for Azure deployment.

See Power Automate

Certificate options for Web sealing

Test certificate

Available without a subscription. The PDF is sealed locally in the browser, but Acrobat will not show a blue trusted seal and the file is not Adobe-verifiable.

Publisher certificate

Publisher subscribers can seal in the browser with the Trusted Signatures certificate. Documents stay local and Acrobat shows Trusted Signatures as the sealer.

Publisher Identity certificate

Publisher Identity subscribers can seal in the browser with their organization certificate so Acrobat shows their company or organization as the sealer.

Time to First Sealed PDF

CLI quickstart in three commands

Run this from your terminal to validate integration speed before wider rollout.

publisher-quickstart.sh


export TS_API_KEY_ID=""
export TS_API_KEY=""
sign-pdf --input input.pdf --output signed.pdf --apikeyid "$TS_API_KEY_ID" --apikey "$TS_API_KEY"

Full CLI Quickstart Start Technical Eval

Trust and standards

Publisher seals follow ISO 32000/PDF signature structures and standard X.509 chain validation behavior. Optional RFC 3161 timestamping and OCSP/CRL embedding support long-term validation requirements in Adobe workflows.

This allows trust verification to stay with the document. Recipients can validate origin and integrity in Acrobat/Reader without relying on a separate portal or proprietary viewer. On-screen trust banners depend on the viewer trust store and local configuration.

Need your organization to appear as the signer? Add Publisher Identity for AATL or EU Advanced trust paths.

Trust documentation

Review service boundaries, custody model, and verification behavior.

Open trust docs

Implementation reference

Run API, CLI, Web sealing, Zapier, Cloud Connector, or Power Automate paths with explicit controls for LTV and policy settings.

Open CLI docs

Security overview

Map standards and custody decisions to internal security review criteria.

Open security overview

Run Publisher in your cloud (Azure, AWS, more)

Deploy Publisher connectors into your Azure, AWS, Google Cloud, or Kubernetes environment. Orchestration runs in your cloud; sealing still happens in Trusted Signatures’ secure service. Ideal for teams already managing cloud networks and automation flows.

Runs in your own cloud accounts/tenants
Works with Power Automate (Azure); AWS/GCP/K8s
Predictable monthly or annual subscription licensing (details on Cloud page)

Pricing at-a-glance

Publisher - Trusted PDF Sealing is a monthly pay-as-you-go subscription with a transparent, usage-based sliding scale. See the Publisher estimator on our pricing page.

The same Publisher subscription supports Web sealing, CLI, API, Cloud Connector, and Zapier usage. Web sealing is billed with the same usage model as API and CLI sealing.

What’s included

Identity & keys: certificates/keys are issued and managed by Trusted Signatures (no BYO)
Custody: FIPS 140-3 Level 3 HSM custody, monitoring, renewals, incident response
Support: issuance, lifecycle, incident handling, and compliance guidance

See Pricing

Publisher Identity

Validate Before Rollout

Run a side-by-side trust check now

Use PDF Validator to compare unsealed and sealed PDFs, confirm reader-visible trust signals, and align stakeholders before production rollout.

Open PDF Validator Start Technical Eval

Frequently Asked Questions

Is this an e-signature workflow tool?

No. Publisher seals PDFs and proves integrity/origin; it is not a routing workflow for signer approvals.

Will recipients need to install anything?

No. Validation is reader-native in Adobe Acrobat/Reader and other compatible PAdES viewers.

What does Acrobat/Reader show after sealing?

In compatible trust configurations, recipients can see certified trust indicators and signer details. Unauthorized edits are flagged when validation fails.

Try PDF Validator

Can recipients fill forms or add comments without breaking the seal?

Yes. Configure DocMDP policy to allow forms and comments while still blocking unauthorized content edits.

View Docs

Will sealed PDFs validate in Adobe Acrobat/Reader and downstream systems (PAdES + LTV)?

Yes. Publisher supports ISO 32000 signatures with X.509 chain data and optional RFC 3161 + OCSP/CRL embedding for long-term validation.

Trust Details

Do we have to upload files to Trusted Signatures to seal them?

No. Files stay in your environment. Publisher works in place through API, CLI, Web sealing, Zapier, Cloud Connector, or Power Automate automation.

How can we preview what sealed vs. unsealed looks like before buying?

Use the free PDF Validator to compare trust and integrity signals before rollout.

PDF Validator

How is pricing structured for Publisher and Identity?

Publisher is a usage-based subscription. Web sealing uses the same usage pricing as CLI and API sealing. Publisher Identity (AATL or EU Advanced OrgID) is an annual add-on.

See Pricing Publisher Identity

Where are the signing keys kept?

Keys are non-exportable and held in FIPS 140-3 Level 3 HSMs; signing operations occur inside the module.

Security Details

Can we bring our own certificate? How do we show our organization as the signer?

BYO certificates are not supported. To display your organization as signer in Acrobat, add Publisher Identity.