Contract Tamper Detection API

Q: What's the difference between "modified" and "inconclusive" for a contract?

A modified verdict means the PDF structure contains forensic evidence of post-creation editing — extra xref tables, incremental updates, or post-signature changes. An inconclusive verdict means the contract was generated with consumer software (Microsoft Word, Google Docs) rather than a contract management or e-signature platform. For contracts, inconclusive is also a risk signal — enterprise agreements should not be generated by Word and shared without an institutional signature.

Detect altered contract terms, changed clauses, and post-signing modifications — whether the buyer calls the result a tampered contract or a fake one. Add forensic tamper detection to your contract management or e-signature platform: a single API call flags edited PDFs before execution.

~3 sec

per document

35 checks

forensic layers

From $15

per month

1,500+

docs / month on Growth

Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones, including modifications applied after a signature. We don’t inspect holograms, phone photos, or ID biometrics, and we don’t replace e-signature platforms or notarisation services. If your fraud problem is a contract PDF altered after signing or fabricated alongside lifted signature images, we’re the most specific tool for it.

A properly e-signed contract should yield INTACT or MODIFIED-with-signature-broken — never INCONCLUSIVE. INCONCLUSIVE on a "signed" contract is itself a flag.

Contract fraud survives e-signature workflows

E-signature platforms verify that a document was signed, not that it has not been modified since. A common attack: one party signs a contract, the other side opens the PDF in Adobe Acrobat, modifies a clause or payment term, and submits the altered version as the “executed” agreement.

In disputes, the altered contract is presented as legitimate. Without forensic analysis, it is difficult to prove which version was the original and which was modified. Digital signature bypass — where the signature page is preserved but content around it is changed — is especially hard to detect visually.

htpbe? analyzes the binary structure of the PDF, not its visual content. It detects post-signature modifications with “certain” confidence — the highest verdict level in the system — making it suitable for pre-execution tamper checks and dispute investigation.

Common contract fraud patterns

Payment terms changed after signature (amount, due date, account)
Liability clause modified to shift risk
Signature page preserved, contract body replaced
Governing law or jurisdiction clause altered
Delivery obligations or SLA terms changed
Contract date back-dated to claim priority

Forensic signals analyzed in every contract

Five layers of analysis run on every request — results in under 3 seconds

Modifications after signature

The highest-confidence signal: content added to a digitally signed contract. htpbe? returns “certain” confidence when it detects changes that were appended after a valid signature was applied.

Signature removal detection

A signature page can be stripped from a contract and the document re-circulated. htpbe? detects structural evidence of removed signature blocks, also flagged at “certain” confidence.

Incremental update chain

PDF editors append changes to the file rather than rewriting it. Each editing session creates an incremental update record. A contract with multiple incremental updates was modified after original generation.

Execution date inconsistency

The ModDate metadata field updates automatically when a PDF is edited. If the ModDate is later than the contract’s stated execution date or signature date, the document was modified after signing.

Producer tool mismatch

Contracts generated by DocuSign, Adobe Sign, or contract management platforms have consistent producer fields. A producer showing an online PDF editor indicates post-signature processing.

Cross-reference table analysis

Each time a PDF is saved after modification, a new xref table is appended. An authentic, unmodified contract has exactly one xref table. Multiple tables confirm post-generation editing.

Built for legal tech and contract platforms

Add forensic tamper detection to your existing contract lifecycle workflow

Detect content changes made after a contract was digitally signed

Identify incremental updates that indicate post-execution clause modifications

Flag contracts where metadata dates are inconsistent with stated execution dates

Catch signature removal — where a signature page was stripped and the contract re-sent

Integrate into contract lifecycle management and e-signature platforms

Works on any PDF contract — no template matching or original document required

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

Integrate in minutes

Two calls: POST the PDF URL, then GET the result with specific markers that triggered the verdict.

Request

bash

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage.com/service-agreement-2024.pdf"}'

Result (GET /v1/result/{id})

json

{
  "id": "3f9c8b7a-2e1d-4c5f-9b8e-7a6d5c4b3a21",
  "status": "modified",
  "modification_confidence": "certain",
  "modification_markers": [
    "Modifications detected after digital signature"
  ],
  "producer": "Adobe Acrobat 24.0",
  "creation_date": 1728385200,
  "modification_date": 1728461700,
  "has_digital_signature": true,
  "signature_count": 1,
  "modifications_after_signature": true,
  "xref_count": 2,
  "has_incremental_updates": true
}

Confidence levels: certain means the PDF structure mathematically proves modification (post-signature content, removed signatures, date mismatch). high means strong forensic markers are present. none means no modification detected. When status is inconclusive, the file was created with consumer software that does not embed institutional metadata — a signal in itself for contracts, which should come from institutional systems.

Pricing

Self-serve plans. No sales call, no procurement process.

Starter

$15/mo

30 checks/mo

Manual spot-checks for contract review workflows

Growth

$149/mo

350 checks/mo

Contract platforms and legal operations teams

Pro

$499/mo

1,500 checks/mo

Contract management platforms and legal tech

Enterprise (unlimited, on-premise available) — see full pricing and docs

Secure your workflow View API docs

API key on signup. Free test environment on every plan. No card required.

Frequently Asked Questions

What's the difference between "modified" and "inconclusive" for a contract?

A modified verdict means the PDF structure contains forensic evidence of post-creation editing — extra xref tables, incremental updates, or post-signature changes. An inconclusive verdict means the contract was generated with consumer software (Microsoft Word, Google Docs) rather than a contract management or e-signature platform. For contracts, inconclusive is also a risk signal — enterprise agreements should not be generated by Word and shared without an institutional signature.

Can it detect clause changes if no digital signature was used?

Yes. Digital signature bypass is the highest-confidence signal (certain), but htpbe? detects post-creation modifications on unsigned contracts too. It looks for multiple xref tables, incremental update chains, producer field inconsistencies, and modification dates that post-date the stated execution date. Most contract fraud involves unsigned PDFs or PDFs where the signature page is kept intact while the body is changed.

Does it verify the identity of signatories?

No. htpbe? detects document tampering, not signatory identity. It can confirm that a digital signature exists and that no content was modified after signing — but it does not verify whether the signatory is who they claim to be. For identity verification, use an identity platform (Onfido, Jumio) alongside htpbe? for document tamper detection.

How does it handle contracts with multiple revision versions?

htpbe? analyzes the final submitted PDF — not revision history. If a contract went through multiple drafts and the final version was properly generated from a clean save, it will typically return intact. If the final version was produced by editing a previous PDF version (rather than generating fresh from a contract system), the editing traces will be visible in the structure. For version-controlled contracts, the key question is whether the final file was generated cleanly or assembled by editing.

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflow View API docs

Integrate contract tamper detection in any stack

Two API calls — submit the signed contract PDF, read the verdict. Copy-paste examples for cURL, JavaScript, Python, PHP, Go, and Ruby.

bash

# Step 1: Submit PDF for analysis
curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer htpbe_live_..." \
  -H "Content-Type: application/json" \
  -d '{"url": "https://example.com/document.pdf"}'
# Returns: {"id":"3f9c8b7a-2e1d-4c5f-9b8e-7a6d5c4b3a21"}

# Step 2: Retrieve full results
ID="3f9c8b7a-2e1d-4c5f-9b8e-7a6d5c4b3a21"
curl -s "https://api.htpbe.tech/v1/result/$ID" \
  -H "Authorization: Bearer htpbe_live_..." \
  | jq '.status'