Invoice Tamper Detection API
Detect tampered or fake invoices before payment. A single API call reveals whether a PDF invoice was modified after generation or fabricated from scratch — catching altered amounts, swapped payee details, changed account numbers, and supplier-impersonation invoices that eyes miss.
Scope
htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your AP fraud problem is a digitally tampered or fabricated invoice PDF, we’re the most specific tool for it.
When htpbe? returns INCONCLUSIVE on an invoice, that’s itself a fraud signal in this context — real vendor invoices come from accounting software (QuickBooks, Xero, SAP, NetSuite, Zoho), e-invoicing platforms, or ERP systems, never from a desktop tool.
Why altered invoices pass manual review
A fraudster intercepts a legitimate invoice PDF, opens it in a free online editor, changes the bank account number or payment amount, and sends the modified file. Visually, the invoice looks identical — same logo, same layout, same font.
The modification is invisible to the human eye but not to a forensic analyzer. PDF editors leave structural traces: extra xref tables, incremental update records, and metadata timestamps that do not match. htpbe? surfaces these traces automatically.
According to the Association of Certified Fraud Examiners, billing fraud accounts for 43% of all occupational fraud cases. A single prevented fraudulent payment typically covers months of API subscription costs.
Typical invoice fraud scenario
- 1Vendor sends a legitimate invoice PDF via email
- 2Attacker intercepts or spoofs the vendor’s email account
- 3PDF opened in iLovePDF, SmallPDF, or Adobe Acrobat
- 4Bank account number or amount edited
- 5Modified file forwarded to AP team
- 6Payment sent to fraudster’s account
What the API detects in invoice PDFs
Five forensic layers analyzed on every request
Multiple xref tables
An unmodified invoice has one xref table. A second table means content was added after the original save — the most common marker of invoice tampering.
Incremental update chain
PDF editors append changes without rewriting the original bytes. htpbe? counts the update chain length — one update is unusual, two or more is highly suspicious.
Producer/creator mismatch
Genuine invoices are generated by accounting software (QuickBooks, Xero, SAP). If the producer field shows a PDF editor (iLovePDF, SmallPDF, QPDF), the file was processed after generation.
Date inconsistency
CreationDate and ModDate are metadata fields that PDF editors update automatically. A ModDate weeks after CreationDate on an invoice is a direct tampering signal.
Digital signature bypass
If the original invoice was digitally signed and content was added after signing, htpbe? flags it as modified with “certain” confidence — the highest possible verdict.
Tool fingerprint analysis
Every PDF tool leaves a distinct fingerprint in the file structure. htpbe? cross-references against a database of 200+ known tools to detect editing software.
Built for finance teams and AP automation
Integrate into your approval workflow or use the free web tool for manual checks
Catch altered payment amounts, IBAN and account numbers before wire transfer
Detect when a legitimate invoice PDF was opened in an editor and re-saved
Flag invoices where metadata dates contradict the stated invoice date
Identify incremental updates — the primary technique for invisible PDF editing
Integrate into AP automation workflows via a single REST call
Free web tool lets your team check suspicious invoices for tampering without writing code
Five forensic layers, one deterministic verdict
Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.
Metadata analysis
Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.
File structure
Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.
Digital signatures
Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.
Content integrity
Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.
Verdict with markers
Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.
Customer Stories
Teams that stopped document fraud
Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.
Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.
Sarah M.
AP Manager
United States
We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.
Lars V.
Risk Analyst, Online Lending
Netherlands
Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.
Priya K.
HR Operations Lead
India
Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.
Julien R.
Fraud Analyst, Fintech
France
Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.
Marta S.
Compliance Coordinator
Spain
One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.
Tariq A.
Finance Manager
United Arab Emirates
Integrate in minutes
Two calls: POST the PDF URL, then GET the forensic verdict. No SDK required.
Request
curl -X POST https://api.htpbe.tech/v1/analyze \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url": "https://your-storage.com/invoice-2024-1045.pdf"}'Result (GET /v1/result/{id})
{
"id": "3f9c8b7a-2e1d-4c5f-9b8e-7a6d5c4b3a21",
"status": "modified",
"modification_confidence": "high",
"modification_markers": [
"Multiple cross-reference tables (incremental updates)"
],
"creator": "QuickBooks Online",
"producer": "Adobe Acrobat 23.0",
"creation_date": 1730451120,
"modification_date": 1731606180,
"has_digital_signature": false,
"xref_count": 2,
"has_incremental_updates": true
}The verdict is one of three values: intact (no post-creation modifications detected), modified (forensic markers confirm editing), or inconclusive (created with consumer software — the file lacks institutional metadata needed to detect tampering, which is itself a risk signal). Each verdict comes with a confidence level and the specific markers that triggered it.
Pricing
Self-serve plans. No sales call, no procurement process.
Starter
$15/mo
30 checks/mo
Manual spot-checks and low-volume workflows
Growth
$149/mo
350 checks/mo
Active AP teams processing invoices daily
Pro
$499/mo
1,500 checks/mo
High-volume AP automation and fintech platforms
Enterprise (unlimited, on-premise available) — see full pricing and docs
API key on signup. Free test environment on every plan. No card required.
Frequently Asked Questions
How does the API detect a tampered invoice?
htpbe? analyzes the binary structure of the PDF file — not the visual content. It looks for cross-reference tables added after the original save, incremental update records, producer fields inconsistent with invoicing software (QuickBooks, Xero, SAP), and modification dates that post-date the stated invoice date. These structural traces cannot be removed without creating a new file from scratch.
Can it catch invoice fraud if the original was never signed?
Yes. Digital signature bypass is just one of several detection signals. htpbe? detects xref table counts, incremental updates, producer mismatches, and date inconsistencies on any PDF — regardless of whether a digital signature was ever applied. Most invoice fraud involves unsigned PDFs edited in iLovePDF, SmallPDF, or Adobe Acrobat.
What does "inconclusive" mean for an invoice?
A verdict of inconclusive means the invoice was created with consumer software (Microsoft Word, Google Docs, or a desktop PDF printer) rather than with dedicated invoicing software. The file lacks the institutional metadata needed to detect tampering. This is itself a risk signal — legitimate vendor invoices from established businesses are generated by accounting systems, not Word.
How many invoice checks per month does a typical AP team need?
A team processing 10 invoices per day uses roughly 200 checks per month. The Growth plan (350 checks/mo at $149) covers a mid-size AP workflow with room for spikes. For teams running automated AP automation with batch processing, the Pro plan (1,500 checks/mo at $499) is more appropriate. The free web tool handles manual spot-checks for any volume.
Secure your workflow
Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.
Integrate invoice fraud detection in any stack
Two API calls — submit the invoice PDF, read the verdict. Copy-paste examples for cURL, JavaScript, Python, PHP, Go, and Ruby.
# Step 1: Submit PDF for analysis
curl -X POST https://api.htpbe.tech/v1/analyze \
-H "Authorization: Bearer htpbe_live_..." \
-H "Content-Type: application/json" \
-d '{"url": "https://example.com/document.pdf"}'
# Returns: {"id":"3f9c8b7a-2e1d-4c5f-9b8e-7a6d5c4b3a21"}
# Step 2: Retrieve full results
ID="3f9c8b7a-2e1d-4c5f-9b8e-7a6d5c4b3a21"
curl -s "https://api.htpbe.tech/v1/result/$ID" \
-H "Authorization: Bearer htpbe_live_..." \
| jq '.status'