Sharing certificates & verifying audits

V▒WQ*J▓\ZWS$%Y2S$X8FZ%·Q\X*#▓5XBMTR?R><YV0N?2YTQT█UEJR24GMQGD\VEMY2K8CFR8A6░W#P97*9VDC82*·F·27@Y#6#573*XM4#U#\░G▓@▒>4U4UAC?Y·08SB4SGJ9DZR7D2N6S▓A0?Y<&<HSQ<1FYA>FH█5?/>>84U>G53▒U*3&X\D▒XTRZ3AB▓JSXEC░?Y#█%E6/>T3GTHQ2&0▓>AF833#7Q5R█9Y&Q<5FM$█04G█3U@2DKE$E0K2▒·6G6·B\HH@6N&YU▒WPFX░Y9H0X3Z*/·0VK5K>@S4·V·G0%░▓░G0R▓V█A26/░KCWEV▒WQ*J▓\ZWS$%Y2S$X8FZ%·Q\X*#▓5XBMTR?R><YV0N?2YTQT█UEJR24GMQGD\VEMY2K8CFR8A6░W#P97*9VDC82*·F·27@Y#6#573*XM4#U#\░G▓@▒>4U4UAC?Y·08SB4SGJ9DZR7D2N6S▓A0?Y<&<HSQ<1FYA>FH█5?/>>84U>G53▒U*3&X\D▒XTRZ3AB▓JSXEC░?Y#█%E6/>T3GTHQ2&0▓>AF833#7Q5R█9Y&Q<5FM$█04G█3U@2DKE$E0K2▒·6G6·B\HH@6N&YU▒WPFX░Y9H0X3Z*/·0VK5K>@S4·V·G0%░▓░G0R▓V█A26/░KCWE

W?█F1▒UW$Y$N%·*?2<B%8P$$43E$QB46HT>W>D█H·W/R*R@#U4A6712·█MA░GTE#53D43ZKQ<▓Y>>A2\/<1@VJRM\▒X81WN&P·█FC8/5DP#░F8▒▒▓/R\<**3W$@@X·MK*<<C5▒U&79FZ▓▓TU0%&$3V\3DUMY@P#<\4K8C13SKVV<VDW▓623T#03ED4GT▒█5F0W8M░2/▓FJ░%U3P█6M8▓&ES?33#GY░0KQ54▒GQ&XBFC6BP\4&UT\AED6HNHWP#S\HCSZ>6X@EG*F1W@VMNR>KP1PZ*J█$▒1EGX*XMM░/8W$$\V9M·2·VZRC$9ZJ<C*SEW?█F1▒UW$Y$N%·*?2<B%8P$$43E$QB46HT>W>D█H·W/R*R@#U4A6712·█MA░GTE#53D43ZKQ<▓Y>>A2\/<1@VJRM\▒X81WN&P·█FC8/5DP#░F8▒▒▓/R\<**3W$@@X·MK*<<C5▒U&79FZ▓▓TU0%&$3V\3DUMY@P#<\4K8C13SKVV<VDW▓623T#03ED4GT▒█5F0W8M░2/▓FJ░%U3P█6M8▓&ES?33#GY░0KQ54▒GQ&XBFC6BP\4&UT\AED6HNHWP#S\HCSZ>6X@EG*F1W@VMNR>KP1PZ*J█$▒1EGX*XMM░/8W$$\V9M·2·VZRC$9ZJ<C*SE

How to embed badges, share verification links, and validate a third-party audit.

Every QorTrace audit is publicly verifiable. Here's how to use that.

Public verify URL

Send anyone the link /verify/<audit_id>. They'll see the audit summary, methodology version, and a "Tamper-evident PDF" indicator. Your source code is never disclosed through this surface.

Embed a badge

Drop one of these in your README:

MARKDOWN

[![QorTrace Audited](https://qortrace.com/api/audits/<id>/badge.svg?style=pill)](https://qortrace.com/verify/<id>)

Style options: pill, card, watermarked-pill. The SVG re-renders on every request so the metadata always reflects the latest published version of the audit.

LinkedIn / Twitter / X

The verify URL has Open Graph + Twitter Card metadata baked in. Paste the link, you'll get a rich preview with the verdict and methodology version.

Verifying someone else's audit

Got a vendor / counterparty waving an audit certificate around? Verify it in 10 seconds.

Visit /verify and paste the audit ID (or the full URL).
Or upload their PDF — we hash it and confirm the signature against our signing key.
You'll see:
- Methodology version (look for v0.2 or later)
- Auditor identity (Standard = QorTrace AI; Deep Dive = the senior auditor + peer reviewer)
- Severity summary
- Date issued + last verified

What "tamper-evident" actually means

Every audit PDF is signed with our internal Ed25519 audit-signing key. The signature covers the entire body — change a single byte and the verification fails. Our public key is published at /security and rotated annually with a publicly logged transition window.

For compliance reviewers

Hit /methodology/receipt/<audit_id> for a stamped, downloadable PDF receipt that maps the audit findings to:

NIST FIPS 203 / 204 / 205
NSA CNSA 2.0
ISO 27001
SOC 2 (Trust Services Criteria)
EU DORA
FFIEC

The receipt is signed and includes a checksum reviewers can paste into their workpapers.