pubid.io
Sign inGet started
Public cryptographic identity

Verify public keys with confidence.

Publish your public keys and prove they're yours. Verify ownership and identity through transparent, time-bound proofs.

Trust fingerprints, not claims.

Create an accountView example profile →
KCommand palette · keyboard shortcuts everywhere
Argon2id
Password hashing
SHA-256
Tokens hashed at rest
Time-bound
Proofs expire & rotate
Zero-trust
Upload ≠ verification
The problem

A key in a profile is not proof.

Anyone can paste a PGP block on their website. Anyone can claim a fingerprint on social media. Without verification, you don't know who controls the private key — or whether the key still should be trusted at all.

Comments aren't proof
PGP UIDs and SSH comments are user-set strings — easily spoofed.
Short IDs are dangerous
32-bit and 64-bit IDs collide. Always match the full fingerprint.
Stale keys hurt trust
Without expiry and revocation tracking, a leaked key lives forever.
The solution

Public cryptographic identity, verified.

pubid.io separates the two questions that matter:

  • 1
    Key ownership
    Prove you control the private key by signing a challenge.
  • 2
    Identity verification
    Prove the key belongs to a person, email, domain, website, or account.

Both proofs are timestamped, transparent, and independently displayed.

Example status
Fingerprint
A4F2 91BC 7E0D 5C3A 8819 …
Algorithm
Ed25519
Ownership
Verified
Identity (domain)
pubid.io · verified
Identity (email)
ian@pubid.io · verified
Identity (github)
ianm · pending
Status
Active
How it works

From upload to trust, in four steps.

01
Upload a key
Paste an OpenPGP block or SSH public key. We canonicalize and fingerprint it.
02
Prove ownership
Sign a one-time challenge with your matching private key. We verify the signature.
03
Verify identity
Link the key to an email, domain, website, or GitHub account via standard proofs.
04
Publish & rotate
Your profile shows live status. Revoke or supersede keys at any time.
Verification methods

Multiple, independent proofs.

Pick the proofs that match your context. Each is recorded with a timestamp and proof type.

Email
Tokenized email link
RFC-style
Domain (DNS TXT)
Authoritative DNS proof
TXT _pubid.<domain>
Website
Hosted .well-known file
.well-known/pubid.txt
GitHub
Public gist or profile proof
tokenized statement
Example verification page

Anyone can verify in seconds.

Public profiles show full fingerprints, linked claims, proof methods, last verified time, expiry, and revocation state — with status pills you can read at a glance.

View live exampleOrg example
Ian Mattas
@ian · pubid.io
Identity verified
Primary key
ed25519 · A4F2 91BC 7E0D …
Ownership
Verified · 2024-05-02
Domain
pubid.io
Email
ian@pubid.io
GitHub
ianm · pending
Machine-readable

A first-class API for verification.

Build trust into your software. Query identities, fingerprints, proofs, and key status from anywhere — no auth required for public data.

  • GET /api/profile/[username]
  • GET /api/keys/[fingerprint]
  • GET /api/keys/[fingerprint]/proofs
  • GET /api/keys/[fingerprint]/status
GET /api/profile/ian
{
  "username": "ian",
  "displayName": "Ian Mattas",
  "primaryKey": {
    "fingerprint": "A4F291BC7E0D5C3A8819…",
    "algorithm": "Ed25519",
    "ownershipVerifiedAt": "2024-05-02T18:11:23Z",
    "status": "active"
  },
  "claims": [
    { "type": "email",  "value": "ian@pubid.io", "status": "verified" },
    { "type": "domain", "value": "pubid.io",     "status": "verified" },
    { "type": "github", "value": "ianm",         "status": "pending"  }
  ]
}
Security

Built like an infrastructure product.

Argon2id passwords
Memory-hard hashing with sane defaults.
Hashed tokens at rest
Reset, verification, and API tokens are SHA-256 hashed.
Anti-enumeration
Identical responses across login & signup paths.
Step-up auth
Sensitive actions can require re-auth or MFA.
Time-bound proofs
Every proof has issued-at and visible age.
Audit log
Sensitive actions are recorded for transparency.
Privacy

Public by design — and only what you choose.

Your profile shows the keys and claims you mark public. We never publish your account email unless you explicitly add it as a public claim.

Read privacy details →

Prove ownership. Verify identity.

Upload is not verification. Make your keys provably yours.

Create your pubidRead the docs