About HTPBE?
A KYC platform confirms a person is who they claim to be. It cannot tell you whether the bank statement they uploaded was edited in Excel an hour earlier. That gap is where document fraud lives — and it is the only thing HTPBE? looks at.
The name
HTPBE? stands for Has This PDF Been Edited? — the product name, not a random code. Say it letter by letter, H-T-P-B-E, like “FBI” or “API”. More in the FAQ.
The mission
The Layer Your Fraud Stack Doesn’t Read
Most fraud tooling checks identity and content. Almost none of it reads the PDF as a file — the cross-reference tables, the incremental-update chains, the producer strings, the signature layer, the way fonts are assembled. A forged document can pass every identity check and still carry, in its own bytes, clear evidence that it was rebuilt after issuance.
HTPBE? is a single-purpose forensic API for exactly that layer. Upload a PDF by URL, and it runs 61 structural checks, then returns a verdict — intact, modified, or inconclusive — with named findings, not a vague risk score. It runs alongside your KYC stack, not instead of it.
The product is deliberately narrow. It does not verify identity, it does not read the meaning of the text, and it will never help anyone build a fake. It catches structural tampering, and it stays honest about the limits of what bytes alone can prove.
Who builds it
Iurii Rogulia
Founder & Engineer
I have been building software professionally since 2001 — 25+ years across logistics, manufacturing, and IT, the last decade as a fractional CTO and solo engineer shipping production SaaS end to end.
HTPBE? is mine top to bottom: the forensic detection engine, the REST API, the billing, the infrastructure, and the site you are reading. No outsourced core, no black-box vendor doing the hard part — the algorithm that decides a verdict is code I wrote and can defend line by line.
I would rather ship one honest verdict than a dashboard full of confident guesses. If a file’s history cannot be proven from its structure, the API tells you that plainly instead of pretending otherwise.
Under the hood
One Word Back. A Forensic Lab Behind It.
A forged document sails through identity checks. Its own bytes give it away. Four steps from upload to verdict:
- 01
Your file never sits on a server
Straight from the browser into encrypted storage, read once in memory, then gone.
Cloudflare R2 - 02
The file, not the picture
A viewer shows one clean page. HTPBE opens the raw construction record underneath it.
Node.jspdf-lib - 03
61 checks, all at once
Each hunts one tell: a forged producer, a signature broken after signing, pages grafted in from another file.
TypeScript - 04
One honest verdict in seconds
Intact, modified, or inconclusive — by fixed rules, no AI guessing. If the bytes cannot prove it, it says so.
PostgreSQL
The whole stack
Engineered End to End, by One Person
Every layer is mine — no outsourced core, no black-box vendor. The checks follow the PDF specification (ISO 32000), not hunches: every verdict is deterministic, reproducible, and explainable, measured against a growing set of real forged documents before it ships.
Detection engine
The forensic core that reads and scores every byte.
Web & API
The site you are reading, the dashboard, and the REST endpoint.
Data & storage
Results, keys, uploads, and rate counters.
Platform
Auth, billing, and the regression suite guarding every release.
How I operate
Four Principles the Product Is Built On
These are not slogans. Each one is a constraint that decides what gets built and, just as often, what deliberately does not.
Honesty over hype
A verdict is only useful if it is honest. When the evidence is inconclusive, the API says so — it never fabricates certainty to look impressive.
I detect, I never help forge
The whole product exists to catch tampering. I deliberately do not build, market, or serve anything that helps someone create a convincing fake.
Your files are not my dataset
Documents are downloaded, analyzed in memory, and discarded. Only structural metadata and the verdict are kept — never the file content.
Structure, not identity
It reads the bytes: cross-reference chains, producers, signatures, fonts. It does not do KYC, identity, or content verification — it sits alongside the tools that do.
In the open
The Receipts, Not a Sales Pitch
Trust in a fraud-detection tool is earned by what you can inspect, not by the size of the team. Here is what stays public.
Changelog
Every detection change, dated and versioned. See exactly how the algorithm evolves.
Status
Live uptime and incident history for the API and the web app.
API Reference
One POST with a PDF URL. Full request and response contract, with error codes.
GitHub Docs
Public, versioned documentation for the endpoints — out in the open.
Secure your workflow
Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.
