Verifying report integrity

Updated 11 July 2026 3 min read

Verifying report integrity

Every report Accupe generates is hash-stamped at the moment it's created, so you, or anyone you share it with, can confirm later that the file hasn't been altered. This is the integrity verification feature.

How to verify a report from inside Accupe

  1. Go to the Reports page (Dashboard > Reports).
  2. Find the report in the table. Each row shows a truncated hash under the title, a hash icon followed by the first twelve characters of the SHA-256 hash.
  3. Select the Verify integrity action on that row (the shield icon).
  4. The "Verify report integrity" dialog opens and re-downloads the stored file, recomputing its SHA-256 hash on the spot. While this runs you'll see "Re-downloading and recomputing SHA-256…".
  5. You'll get one of two results:
  • A green banner reading "Hash matches. Report is intact." if the recomputed hash matches the one recorded when the report was generated.
  • A red banner reading "Hash mismatch. Report may have been tampered with." if it doesn't.
  1. Below the result, a detail list shows the Report ID, Type, full SHA-256 hash, Generated date, TSA stamp (only if the report has one), and the time you ran the check.

The TSA column

Back on the main reports table, the TSA column shows one of two icons: a green shield with a checkmark, with a tooltip telling you exactly when the report was timestamp-authority stamped, or a grey shield with an alert mark and the tooltip "No TSA timestamp" if it wasn't.

If a report does carry a TSA reply, the verify dialog adds a note explaining that anyone can check the timestamp imprint independently of Accupe, offline, against the timestamp authority's certificate chain, using standard OpenSSL timestamp verification tooling.

Sharing verification outside Accupe

Every generated report's footer prints a public verification link, built from the accupe.com domain plus a verify path and the report's ID. Anyone with that link, including a regulator or auditor who doesn't have an Accupe login, can run the same integrity check without signing in. That public endpoint deliberately returns only the integrity result and nothing about your firm, its clients, or any related entity IDs, so it's safe to hand the link to a third party outside your organisation.

The public verification endpoint is rate-limited to 20 requests per minute per IP address. A well-formed report ID that simply doesn't exist returns a 404 with no further detail, and a garbled or non-UUID ID is rejected the same way before it ever reaches the database, so probing the endpoint with guessed IDs can't reveal which real report IDs exist.

What a mismatch means

A hash mismatch means the bytes currently in storage no longer match what was recorded when the report was generated. Treat this as a signal to regenerate the report and investigate rather than continue sharing the existing file.

Note: Verification only confirms the file's byte-for-byte integrity against the hash captured at generation time. It doesn't check the accuracy of the underlying data, only that the document itself hasn't been altered since Accupe created it.