Standard v2.0

Developer Documentation

Integra Veltia en tu stack tecnológico en menos de 5 minutos y empieza a emitir evidencias legales con validez europea.

TU API KEY ACTUALsk_test_tu_clave_aqui

Estás viendo una clave de ejemplo. Regístrate para obtener tu clave real.

Zero-Storage & eIDAS 2.0

Veltia ha sido diseñado bajo el principio de Privacy by Design. Nuestra infraestructura permite la notarización de documentos sin necesidad de acceder a su contenido.

Hash-Only

Solo procesamos el hash SHA-256 de tus archivos. El documento original nunca sale de tus servidores.

eIDAS Compliance

Cumplimiento estricto con el reglamento (UE) Nº 910/2014 para sellos electrónicos cualificados.

Entornos de Trabajo

Veltia ofrece dos entornos aislados para garantizar la seguridad de tus operaciones.

EntornoPrefijo KeyTSA ProviderPropósito
Sandboxsk_test_FreeTSA (Open)Pruebas ilimitadas. Evidencia con marcas de agua "TEST".
Productionsk_live_Qualified (QTSA)Validez legal cualificada. Requiere créditos activos.

Trust Event API (/trust-event)

Ideal for high-volume automated processes: contracts, identity evidence, or critical data sealing. (Auth: x-api-key)

[ZK AXIOM]: We only process Hashes. Your documents never leave your network.
curl -X POST https://evrqfolssasuskyniuum.supabase.co/functions/v1/trust-event \
  -H "x-api-key: sk_test_tu_clave_aqui" \
  -H "Content-Type: application/json" \
  -d '{
    "data_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41..."
  }'

Vía B: Billeteras de Identidad Digital Europea (/wallet-request)

{{ lang.currentLang === 'es' ? 'Para flujos de firma de alto nivel de garantía donde la identidad biométrica y gubernamental del usuario debe ser autenticada y vinculada a la evidencia.' : 'For high assurance signature flows where the user's biometric and governmental identity must be authenticated and bound to the evidence.' }} (Auth: x-api-key + IP Whitelisting)

1
Create signature session: Submit the document hash to be signed specifying the desired trust level.
2
Get Authorization URI: Veltia responds with a eudiw:// URI that you can render as a QR code or use to launch the wallet app.
3
Signature & Webhook: Upon user mobile confirmation, we process the signature and notify you via Webhook containing the JWS receipt.
curl -X POST https://evrqfolssasuskyniuum.supabase.co/functions/v1/wallet-request \
  -H "x-api-key: sk_test_..." \
  -H "Content-Type: application/json" \
  -d '{
    "data_hash": "64_char_sha256_hash",
    "trust_level": 30,
    "subject_id": "customer_123"
  }'

Webhooks

Configure a URL in your Dashboard to receive real-time notifications when a signature is completed.

  1. Go to the API tab in your Dashboard.
  2. Enter your destination URL in "Webhook Settings".
  3. Veltia will send a POST request every time a document is notarized.
  4. Validate authenticity using the "x-veltia-signature" header (HMAC-SHA256).
WEBHOOK HEADERS
x-veltia-signature: t=1717253119,v1=5e884898da28047151...
WEBHOOK PAYLOAD (POST)
{
  "event": "trust_event.finalized",
  "created_at": "2026-02-15T03:00:00Z",
  "data": {
    "id": "evt_8k93...x2",
    "doc_hash": "e3b0c4...41",
    "trust_level": 30,
    "is_live": false,
    "trust_receipt": "eyJhbGciOiJIUzI1NiJ9..."
  }
}
NODE.JS SIGNATURE VERIFICATION (REPLAY PROTECTION)
const crypto = require('crypto');

function verifyWebhook(rawBody, signatureHeader, webhookSecret) {
  // 1. Parse header (t=timestamp, v1=signature)
  const parts = signatureHeader.split(',');
  const timestamp = parts.find(p => p.startsWith('t=')).split('=')[1];
  const signature = parts.find(p => p.startsWith('v1=')).split('=')[1];

  // 2. Prevent Replay Attacks: Reject if timestamp is older than 5 minutes (300s)
  const age = Math.floor(Date.now() / 1000) - Number(timestamp);
  if (Math.abs(age) > 300) {
    throw new Error('Webhook timestamp expired. Replay attack blocked.');
  }

  // 3. Compute expected signature using raw request body
  const expectedSignature = crypto
    .createHmac('sha256', webhookSecret)
    .update(`${timestamp}.${rawBody}`)
    .digest('hex');

  // 4. Secure constant-time comparison to prevent timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(signature, 'hex'),
    Buffer.from(expectedSignature, 'hex')
  );
}

Advanced Security

Protect your account by restricting which servers can call the Veltia API.

  1. Go to the "IP Whitelisting" section in the API tab.
  2. Enter the public IPs of your servers (comma-separated).
  3. Veltia will reject any request (403) that does not come from those IPs.
NOTICE: If the list is empty, requests from any IP are allowed by default.

Error Codes

CodeDescriptionSolution
400Invalid HashEnsure you are sending a valid SHA-256.
401UnauthorizedIncorrect or revoked API Key.
402No CreditsReload credits in your dashboard (Live mode only).
403Forbidden (IP)The source IP is not in your whitelist.
429Rate LimitSandbox limit of 10 daily requests reached.