Developer Documentation
Integra Veltia en tu stack tecnológico en menos de 5 minutos y empieza a emitir evidencias legales con validez europea.
sk_test_tu_clave_aquiEstás viendo una clave de ejemplo. Regístrate para obtener tu clave real.
Zero-Storage & eIDAS 2.0
Veltia ha sido diseñado bajo el principio de Privacy by Design. Nuestra infraestructura permite la notarización de documentos sin necesidad de acceder a su contenido.
Hash-Only
Solo procesamos el hash SHA-256 de tus archivos. El documento original nunca sale de tus servidores.
eIDAS Compliance
Cumplimiento estricto con el reglamento (UE) Nº 910/2014 para sellos electrónicos cualificados.
Entornos de Trabajo
Veltia ofrece dos entornos aislados para garantizar la seguridad de tus operaciones.
| Entorno | Prefijo Key | TSA Provider | Propósito |
|---|---|---|---|
| Sandbox | sk_test_ | FreeTSA (Open) | Pruebas ilimitadas. Evidencia con marcas de agua "TEST". |
| Production | sk_live_ | Qualified (QTSA) | Validez legal cualificada. Requiere créditos activos. |
Trust Event API (/trust-event)
Ideal for high-volume automated processes: contracts, identity evidence, or critical data sealing. (Auth: x-api-key)
curl -X POST https://evrqfolssasuskyniuum.supabase.co/functions/v1/trust-event \
-H "x-api-key: sk_test_tu_clave_aqui" \
-H "Content-Type: application/json" \
-d '{
"data_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41..."
}'Vía B: Billeteras de Identidad Digital Europea (/wallet-request)
{{ lang.currentLang === 'es' ? 'Para flujos de firma de alto nivel de garantía donde la identidad biométrica y gubernamental del usuario debe ser autenticada y vinculada a la evidencia.' : 'For high assurance signature flows where the user's biometric and governmental identity must be authenticated and bound to the evidence.' }} (Auth: x-api-key + IP Whitelisting)
curl -X POST https://evrqfolssasuskyniuum.supabase.co/functions/v1/wallet-request \
-H "x-api-key: sk_test_..." \
-H "Content-Type: application/json" \
-d '{
"data_hash": "64_char_sha256_hash",
"trust_level": 30,
"subject_id": "customer_123"
}'Webhooks
Configure a URL in your Dashboard to receive real-time notifications when a signature is completed.
- Go to the API tab in your Dashboard.
- Enter your destination URL in "Webhook Settings".
- Veltia will send a POST request every time a document is notarized.
- Validate authenticity using the "x-veltia-signature" header (HMAC-SHA256).
x-veltia-signature: t=1717253119,v1=5e884898da28047151...{
"event": "trust_event.finalized",
"created_at": "2026-02-15T03:00:00Z",
"data": {
"id": "evt_8k93...x2",
"doc_hash": "e3b0c4...41",
"trust_level": 30,
"is_live": false,
"trust_receipt": "eyJhbGciOiJIUzI1NiJ9..."
}
}const crypto = require('crypto');
function verifyWebhook(rawBody, signatureHeader, webhookSecret) {
// 1. Parse header (t=timestamp, v1=signature)
const parts = signatureHeader.split(',');
const timestamp = parts.find(p => p.startsWith('t=')).split('=')[1];
const signature = parts.find(p => p.startsWith('v1=')).split('=')[1];
// 2. Prevent Replay Attacks: Reject if timestamp is older than 5 minutes (300s)
const age = Math.floor(Date.now() / 1000) - Number(timestamp);
if (Math.abs(age) > 300) {
throw new Error('Webhook timestamp expired. Replay attack blocked.');
}
// 3. Compute expected signature using raw request body
const expectedSignature = crypto
.createHmac('sha256', webhookSecret)
.update(`${timestamp}.${rawBody}`)
.digest('hex');
// 4. Secure constant-time comparison to prevent timing attacks
return crypto.timingSafeEqual(
Buffer.from(signature, 'hex'),
Buffer.from(expectedSignature, 'hex')
);
}Advanced Security
Protect your account by restricting which servers can call the Veltia API.
- Go to the "IP Whitelisting" section in the API tab.
- Enter the public IPs of your servers (comma-separated).
- Veltia will reject any request (403) that does not come from those IPs.
Error Codes
| Code | Description | Solution |
|---|---|---|
400 | Invalid Hash | Ensure you are sending a valid SHA-256. |
401 | Unauthorized | Incorrect or revoked API Key. |
402 | No Credits | Reload credits in your dashboard (Live mode only). |
403 | Forbidden (IP) | The source IP is not in your whitelist. |
429 | Rate Limit | Sandbox limit of 10 daily requests reached. |