Security practices

Token access

Signer links are represented as unique tokens with expired, voided, signed, and declined states.

Events capture actor, provider, IP, user agent, UTC source time, and NPT display time.

Certificate verification is simulated; real CA trust, OCSP/CRL, and PAdES signing are future backend work.