Inboard

Inboard Audit

Verify any Inboard-published snippet

Every install template Inboard customers publish is signed with an Ed25519 key held by Inboard. The public side of that key is at /.well-known/inboard-signing-key.pem; historical and revoked keys are listed at /.well-known/inboard-signing-keys.json. Use the lookups below to inspect any signed snippet — pages run verification in your own browser, with no Inboard-controlled JavaScript in the trust path beyond the page itself.

Enter a content hash (sha256) or a hostname.

How verification works

  1. Each published install-template version is canonicalised (stable JSON, sorted object keys), then SHA-256 hashed. That digest is what we sign.
  2. The signature, key id, content hash, and signed-at timestamp are written to an immutable signature row. Republishing the same content produces the same hash, but a fresh signed-at.
  3. Audit pages re-fetch the canonical payload from https://api.inboard.dev/v1/versions/<id>/signature, re-canonicalise + re-hash with the browser's WebCrypto SHA-256, then verify the Ed25519 signature against the public key under the matching key_id in the catalog. Anyone can do this independently — every step is deterministic from the published data.

Key rotation

Inboard rotates its signing key at least annually, and immediately on any suspected compromise. Old keys remain in the public catalog so historical signatures continue to verify; their status field flips from active to retired or revoked. New snippet versions are always signed with the current active key. See /security for the disclosure path if you suspect a key compromise.