Skip to main content

Compliance & Digital Signatures

Digital sign-off on completed work orders for ISO 9001 and FDA 21 CFR Part 11 compliance, with tamper-evident HMAC signatures and PDF certificate generation.

Sign off a work order

POST /work-orders/{work_order_id}/signoffs

Auth: Bearer JWT (admin, operator)

Requires password re-authentication for non-repudiation.

curl -X POST https://api.haltless.io/api/v1/work-orders/WO_ID/signoffs \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"password": "your_current_password"}'

Response 201:

{
  "id": "uuid",
  "work_order_id": "uuid",
  "signed_by": "uuid",
  "signer_name": "Jane Smith",
  "signer_role": "admin",
  "signature_hash": "a1b2c3d4e5f6...",
  "signed_at": "2026-04-04T12:00:00Z",
  "created_at": "2026-04-04T12:00:00Z"
}

Requirements:

  • Work order must have status completed
  • Maximum 20 sign-offs per work order
  • Password must match the current user's password

Signature: An HMAC-SHA256 hash computed over a canonical JSON payload containing the work order details, signer information, and timestamp. This provides tamper-evidence , any modification to the signed data would produce a different hash.

List sign-offs

GET /work-orders/{work_order_id}/signoffs

Auth: Bearer JWT (any role)

Returns all sign-offs for a work order, newest first.

Verify a sign-off

GET /work-orders/{work_order_id}/signoffs/{signoff_id}/verify

Auth: Bearer JWT (any role)

Recomputes the HMAC signature and performs a constant-time comparison against the stored hash.

{
  "signoff_id": "uuid",
  "is_valid": true,
  "detail": "Signature verification passed. The sign-off record has not been tampered with."
}

If tampered:

{
  "signoff_id": "uuid",
  "is_valid": false,
  "detail": "Signature mismatch detected. The sign-off record may have been altered."
}

Download certificate

GET /work-orders/{work_order_id}/certificate

Auth: Bearer JWT (any role)

Downloads a PDF maintenance completion certificate containing:

  • Work order details (title, machine, dates, status)
  • All digital signatures with signer names, roles, and timestamps
  • HMAC verification status for each signature
  • QR code or reference number for audit traceability

Response: application/pdf