Find answers to common questions about PDF authenticity checking.
HTPBE? (Has This PDF Been Edited?) is a free online service that detects whether a PDF document has been modified after it was originally created. Upload your PDF and get an instant result in seconds — no registration, no payment, no technical knowledge required. Files up to 10 MB are supported.
The service analyzes the PDF’s internal structure, metadata, and creation history to detect any signs of post-creation modifications. Results come in three states: Intact (no modification found), Modified (modification detected), or Cannot Determine (the PDF was created with consumer software such as Microsoft Word or Google Docs, where anyone can create a document from scratch).
HTPBE? uses multi-layer forensic analysis to detect post-creation modifications. The system examines:
The detailed metadata and findings on the result page explain the reasoning behind each verdict.
HTPBE? is used across many real-world situations:
In every scenario, HTPBE? provides a quick first check to identify potentially tampered documents, helping you make safer decisions in transactions and business dealings.
The service is used by anyone who receives PDF documents and needs to trust their authenticity before making a decision:
Yes — the web tool at htpbe.tech is completely free and unlimited for manual checks. You can upload PDFs up to 10 MB, receive instant analysis, and access detailed results including metadata, findings, and modification verdict. No registration, no payment, no quota.
For developers and businesses needing programmatic access, the API offers monthly subscription plans starting at $15/mo. The free web tool does not consume any API quota.
Yes. HTPBE? is built around a strict privacy model:
HTPBE? stands for Has This PDF Been Edited? — it is the product name, not a random code.
How to say it: pronounce it letter by letter: H-T-P-B-E (like “FBI” or “API”). That is the clearest option for calls, support, and demos because the letters do not spell one obvious English word.
For what the service actually checks, see What is HTPBE, and what does it do?
KYC platforms check that a document looks authentic — correct template, matching identity, valid format. HTPBE? checks whether the specific PDF file was modified after it was generated. These are different layers of fraud detection.
A bank statement can pass every KYC template check and still have edited balances. HTPBE? detects the modification at the file structure level — xref tables, incremental updates, producer field inconsistencies.
The API returns a structured JSON verdict: INTACT, MODIFIED, or INCONCLUSIVE. For modified documents, the response includes specific modification_markers — the named forensic signals that triggered the verdict, such as “Multiple xref tables detected” or “Incremental update chain length: 3”.
No black-box scores — every verdict is explained. See the full response schema at github.com/htpbe/docs.
Plans are monthly subscriptions: Starter at $15/mo (30 checks), Growth at $149/mo (350 checks), Pro at $499/mo (1,500 checks). There is no per-check billing — your quota resets monthly.
The free web tool at htpbe.tech is unlimited for manual checks and does not consume API quota.
Yes. Test keys (htpbe_test_...) are available on all plans including before you subscribe. They return deterministic synthetic results for integration testing and do not consume monthly quota.
Test keys only accept test URLs — they cannot be used to analyze real documents.
Yes — this is the primary use case for lending teams. HTPBE? detects edited bank statements at the file structure level: multiple xref tables indicating post-export editing, producer field showing Excel or a consumer PDF tool instead of a banking system, and modification timestamps that differ from creation timestamps.
See the fake bank statement detection guide for integration details.
If your document was issued by a real institution — a state register, a court, a bank, a payroll system — and HTPBE? returns INCONCLUSIVE instead of INTACT, that does not mean the document is forged. It means HTPBE? cannot structurally prove that the file was not modified after creation. The document may well be genuine; the verdict reflects the limits of structural analysis, not the document itself.
HTPBE? promises only one thing: detect post-creation modification of the PDF file. To say INTACT we need positive evidence that the file is structurally indistinguishable from the moment it was generated. That evidence does not exist when the document was produced by a tool that anyone can install or use:
In every category the same logic applies: the production tool is public, the output is reproducible, and there is no cryptographic anchor (a digital signature, an issuer’s certificate) that ties the file to a specific source. We refuse to call that file INTACT because doing so would let forgers run the same public tool and inherit a green check.
HTPBE? is built to catch the most common attack: a contractor or counterparty receives a legitimate institutional document, opens it in an editor, changes a number or a name, and forwards the modified file. That category leaves structural fingerprints — multiple xref tables, mismatched generator strings, font-subset divergence, signature-coverage gaps — and HTPBE? is designed to surface them as MODIFIED.
What HTPBE? cannot do is verify fabricated-from-scratch documents. A forger who builds a counterfeit registry extract from scratch in wkhtmltopdf produces a structurally clean file. That is exactly the case we mark INCONCLUSIVE rather than INTACT: structural cleanliness is not authenticity, and we will not pretend otherwise.
For details on the categories themselves, see Can someone create a fake document from scratch? and How HTPBE? determines whether a PDF was modified.
Payment confirmation fraud is a real problem in online transactions. When someone sends you a PDF screenshot or receipt as “proof of payment”, it could have been digitally edited to fake the transaction details.
Common fraud scenarios:
How HTPBE? helps: By checking if the PDF has been modified, you can quickly identify suspicious payment confirmations. If a payment screenshot shows as “modified” in our analysis, it’s a red flag that the document may have been tampered with.
Important: Always check payment through your actual bank account or payment platform. HTPBE? is an additional fraud-detection tool, not a replacement for checking your real account balance.
Our PDF modification detection system provides high accuracy through multi-layer analysis combining metadata validation, structural analysis, and signature verification. The accuracy depends on several factors: the quality of PDF metadata, the sophistication of modification attempts, and the PDF creation tools used.
Results come in three states: Intact (no signs of modification found), Modified (modification detected), and Cannot Determine (the PDF was created with consumer software such as Microsoft Word or LibreOffice — integrity analysis does not apply to documents created with these tools).
There is one fundamental limitation to understand: the tool detects post-creation modifications, not fabricated content. If someone creates a fake invoice or certificate from scratch in Word and exports it to PDF, that PDF will show as Intact — because it was never modified after creation. The check only tells you whether the file was changed after it was generated, not whether the data inside it is truthful. See Can someone create a fake document from scratch? for details.
For critical decisions, we recommend using this tool as part of a broader fraud-detection strategy rather than relying solely on automated results.
Our PDF authenticity checker accepts PDF files up to 10 megabytes (10 MB) in size. This limit ensures fast analysis and optimal performance for most common PDF documents including contracts, certificates, invoices, reports, and academic documents.
Files exceeding this limit will be rejected with an error message. If you need to check larger PDF files, consider splitting them into smaller documents or compressing the PDF before upload.
The 10 MB limit applies to the original file size before any processing. Our free PDF tamper detection service is designed to handle typical document sizes efficiently while maintaining quick response times and reliable analysis results for PDF modification detection.
HTPBE? analyzes four layers of evidence: metadata (creation and modification timestamps, creator/producer applications), file structure (incremental update sections, cross-reference tables), digital signatures (presence, validity, post-signature modifications), and embedded content (JavaScript, hidden file attachments).
What you see is one of three results: Intact (no modification detected), Modified (modification detected), or Cannot Determine (the PDF was created with consumer software such as Microsoft Word, LibreOffice, or a print-to-PDF driver). The detailed metadata and findings on the result page explain the reasoning behind each outcome.
Our PDF modification detection system can identify most common types of PDF alterations including:
The most important limitation is not technical — it is fundamental: the tool detects modifications to existing PDF files. It cannot detect documents created from scratch with false content. If someone creates a fake bank statement in Microsoft Word and exports it to PDF, the result will show as Intact, because the file was never modified after creation. Always check the creation date and consider the document’s claimed origin alongside the analysis result.
Additionally, PDFs created with consumer software (Microsoft Word, LibreOffice, Google Docs, print-to-PDF drivers) will show a Cannot Determine result rather than Intact, because anyone can create any document from scratch with these tools.
Other technical limitations: password-protected PDFs cannot be analyzed, extremely sophisticated manipulation techniques using specialized tools may sometimes evade detection, and PDFs with corrupted metadata may produce unexpected results. For critical legal or financial documents, use our service alongside other fraud-detection methods.
PDF authenticity checking typically completes within a few seconds for most documents. The analysis time depends on file size, complexity, and server load.
Typical processing times:
The multi-layer PDF tamper detection process includes metadata extraction, structural analysis, and signature fraud detection—all optimized for speed. You'll see real-time progress updates during upload and analysis.
Our PDF modification detection service is designed for instant results, allowing you to quickly check document integrity without waiting. If analysis takes longer than expected, it may indicate a complex PDF structure or temporary server load, but most PDF authenticity checks complete rapidly.
PDF metadata is embedded information within a PDF file that includes creation date, modification date, creator application, producer application, PDF version, title, author, subject, keywords, and other document properties.
This metadata is crucial for PDF authenticity analysis because it provides a digital fingerprint of the document’s history. When someone edits a PDF, metadata often changes—modification dates update, producer information may change, and structural elements can be altered.
Our PDF authenticity checker analyzes this metadata to detect inconsistencies that suggest tampering. For example, if a PDF shows a creation date after its modification date, or if the producer tool doesn’t match the creator tool in expected ways, these anomalies indicate potential PDF modification.
Understanding PDF metadata helps you interpret analysis results and make informed decisions about document integrity and authenticity.
Yes, our PDF authenticity analysis service can analyze legal documents, but results should be interpreted carefully. The PDF modification detection provides technical evidence about document integrity based on metadata and structural analysis.
However, for legal proceedings, you may need additional fraud detection methods including expert witness testimony, forensic document examination, or certified PDF analysis. Our service helps identify potential issues with legal PDFs such as contracts, agreements, or court documents, but the results are indicative rather than definitive legal proof.
We recommend consulting with legal professionals about how PDF authenticity analysis results can support your case. The detailed analysis report can serve as supporting evidence, but it should be part of a comprehensive document fraud detection strategy rather than the sole basis for legal decisions.
In PDF metadata, Creator refers to the application that originally created the document content (like Microsoft Word, Google Docs, or Adobe InDesign), while Producer refers to the application that converted or last saved the document to PDF format (like Adobe Acrobat, PDF printer, or online converters).
This distinction is important for PDF authenticity checking because mismatches between Creator and Producer can indicate document modification. For example, a document created in Word but saved as PDF through a different tool shows different Creator and Producer values—this is normal.
However, if our PDF modification detection finds unexpected changes in these values or timestamps that don’t align with the document history, it may suggest tampering. Understanding Creator vs Producer helps interpret PDF tamper detection results and identify potential document integrity issues.
No, our PDF authenticity checker does not read or store your document content. While we temporarily load the PDF file into memory for technical analysis, we only examine file structure, metadata, and PDF formatting information—never extracting or reading the actual text, images, or content within your PDF files.
This privacy-focused approach means sensitive documents remain completely confidential. The PDF tamper detection process examines file structure, creation/modification dates, creator/producer information, digital signatures, and structural elements like xref tables and incremental updates.
We extract metadata such as filename, file size, page count, and PDF version, but never access or extract document content. This makes our PDF modification detection service safe for confidential documents including contracts, financial statements, personal records, and proprietary information. Your document content is never read, extracted, or stored—only technical metadata and structural information that helps determine PDF authenticity.
Incremental updates in PDF files occur when changes are saved to a PDF without rewriting the entire file. Instead, modifications are appended to the end of the file, creating multiple versions within a single PDF.
This is significant for PDF authenticity checking because incremental updates can indicate document modification history. Our PDF modification detection system analyzes these incremental updates to identify when and how a PDF was changed.
Multiple incremental updates may suggest frequent editing or tampering attempts. However, some legitimate PDF creation workflows also use incremental updates, so our PDF tamper detection considers context when interpreting these findings.
The presence of incremental updates doesn’t automatically mean tampering—it’s one factor in our comprehensive PDF authenticity analysis that helps build a complete picture of document integrity and modification history.
While our PDF authenticity checker detects most common modification methods, sophisticated PDF editing techniques using specialized tools may sometimes evade detection. Advanced users with deep PDF knowledge could potentially modify documents in ways that minimize metadata changes or structural anomalies.
However, such modifications typically require significant technical expertise and specialized software. Our multi-layer PDF tamper detection approach analyzes multiple detection vectors including metadata consistency, structural integrity, signature fraud detection, and modification traces—making it difficult to modify PDFs without leaving some evidence.
For critical documents, we recommend using our PDF modification detection alongside other fraud detection methods. The detailed findings help identify suspicious patterns even when modifications are sophisticated. No PDF authenticity checking system is 100% foolproof, but our comprehensive analysis provides strong protection against most common tampering attempts.
Results come in three states:
Important: “Intact” does not mean “authentic.” It means the PDF was not modified after it was created. A document created from scratch with false data will also show as Intact — because it was never modified, it was simply created with false content. To understand this limitation fully, see: Can someone create a fake document from scratch?
On the result page you also see detailed metadata (creation date, modification date, creator, producer) and structural findings. These help you understand why the service gave a particular result. If the result seems unexpected, consider the PDF’s creation workflow and whether any modifications were authorized.
For important decisions, use this result as part of a broader fraud-detection strategy rather than the sole factor.
Our PDF authenticity checker supports most standard PDF formats including PDF 1.3 through PDF 2.0, linearized PDFs, PDF/A (archival format), and PDF/X (print format). While older versions (PDF 1.0-1.2) may work, analysis is most reliable with PDF 1.3 and newer.
The PDF tamper detection system can analyze PDFs created by any standard PDF creation tool including Adobe Acrobat, Microsoft Office, Google Docs, LibreOffice, online PDF converters, and specialized PDF software.
Some limitations apply: password-protected or encrypted PDFs cannot be analyzed, corrupted PDFs may fail to process, and non-standard PDF variants might produce unexpected results. Our PDF modification detection works best with standard, unencrypted PDF files following ISO 32000 specifications.
Each PDF authenticity check generates a unique, permanent URL that you can share with others to view the analysis results. After uploading your PDF and completing the PDF tamper detection, you'll receive a results page with a shareable link (format: htpbe.tech/result/[unique-id]).
This link provides full access to the analysis including modification status, metadata details, and all findings. You can share this link via email, messaging apps, or embed it in documents. The results page includes social sharing buttons for easy distribution.
Recipients don’t need accounts or special access—the link works for anyone. This makes it easy to share PDF modification detection results with colleagues, clients, or legal professionals.
Note: The shared link shows analysis results only, not the original PDF file, maintaining privacy while enabling collaboration on PDF authenticity analysis.
Your uploaded PDF file is stored temporarily in secure cloud storage (Vercel Blob) during the analysis process. Files are automatically deleted approximately one hour after upload as part of Vercel's standard retention policy.
We do not manually delete files immediately after analysis because this allows you time to re-check results if needed. However, the automatic cleanup ensures your files don’t remain stored indefinitely.
Important: We only retain the analysis results and metadata permanently in our database—never the actual PDF file content. This includes information like filename, file size, creation date, modification date, and detected findings. The original PDF file itself is automatically purged from storage after approximately one hour.
This approach balances security, privacy, and functionality while complying with data retention best practices.
A PDF showing as “modified” doesn’t necessarily mean someone tampered with the content. Many legitimate actions create modifications that our PDF authenticity checker detects:
Our system detects any structural changes after the PDF was originally created. This is intentional—it helps you know the document’s complete history. A “modified” result doesn’t automatically mean fraud or tampering; it means the file has a history beyond its initial creation.
Review the detailed findings on the results page to understand what specific changes were detected and whether they align with your document’s known history.
Analysis results are stored permanently in our database. Once you upload and analyze a PDF, the results remain accessible indefinitely at the unique URL (htpbe.tech/result/[unique-id]).
This permanent storage has several benefits:
What is stored permanently: Analysis metadata, modification verdict, creation/modification dates, creator/producer information, structural findings, and detection results.
What is NOT stored permanently: The actual PDF file content. As mentioned in our privacy policy, uploaded PDF files are automatically deleted from storage approximately one hour after upload. Only the analysis results remain.
This approach ensures you have long-term access to detection results while protecting your document privacy and minimizing storage of sensitive file content.
No, you cannot view or download your original PDF file from the results page. The results page displays only the analysis metadata and findings—not the document itself.
This is a deliberate privacy and security feature. We do not store PDF file content permanently, and we do not provide access to uploaded files after analysis completes. Uploaded PDF files are automatically deleted from storage approximately one hour after upload.
The results page shows comprehensive analysis information including:
Keep your original PDF file: If you need to reference the actual document later, make sure to keep a copy on your local device. The analysis results are permanent, but access to the original file is not.
This policy protects user privacy by ensuring uploaded documents are not accessible to others through shared result links, even if the link is compromised.
Yes, and this is an important limitation to understand. Our PDF authenticity checker detects modifications to existing PDF files—we cannot determine if a brand-new PDF was created with falsified content.
Example scenario: Someone could:
How to protect yourself: Always pay close attention to the Creation Date shown in the analysis results. Ask yourself:
Additional fraud detection steps for critical documents:
Our service is a powerful tool for detecting tampering with existing files, but it cannot replace human judgment and thorough fraud detection processes. The creation date is your first line of defense against completely fabricated documents.
All dates and times on HTPBE? are displayed in UTC (Coordinated Universal Time) for consistency, accuracy, and transparency. This is an intentional design choice to ensure everyone sees the same absolute time regardless of their location.
What is UTC?
UTC is the global time standard used worldwide. It’s equivalent to GMT (Greenwich Mean Time) and serves as the reference point for all timezones. Unlike local time, UTC never changes with daylight saving time or regional adjustments.
Why We Use UTC:
How to Convert UTC to Your Local Time:
If you need to know what time something was in your timezone:
Common UTC Offsets:
What This Means for You:
When you see a timestamp like “12.02.2026 09:35:21 UTC” on HTPBE?:
Example Scenario:
You upload a PDF at 3:00 PM in New York (UTC-5). The check date shows “20:00 UTC” because:
Someone viewing the same result in Tokyo (UTC+9) also sees “20:00 UTC”, not their local time. This ensures consistency and prevents confusion.
Bottom Line:
UTC display may seem unusual if you’re used to seeing local times, but it’s the professional standard for global systems. It ensures accuracy, eliminates timezone-related errors, and provides a reliable foundation for document fraud detection timestamps.
A creation date slightly after the check time usually means clock drift — a small difference between your computer’s clock and our server’s clock. Computers without automatic time synchronization can drift several minutes fast, so a PDF created on such a device will show a timestamp a few minutes ahead of the actual server time. This is completely normal.
Quick risk guide based on the time difference:
Always evaluate the full picture: the overall modification result, other metadata fields (Creator, Producer), and the context of where the document came from. A 4-minute discrepancy in a payment confirmation from a known client is routine. A 4-day discrepancy in a contract from a new counterparty requires investigation.
Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.