Reference
Trust-layer terms from A to Z.
We explain Trust Level, Challenge, Handover and every related concept in two sentences, with an example and cross-links.
Why a glossary?
Why a glossary?
SigID uses precise language because verification has to be precise. In this glossary, every key concept follows the same form: two sentences of definition, one concrete example, and cross-references to related terms. If this is your first time working with SigID, the glossary is the fastest path to clarity.
A
Audit Event
An audit event is the immutable record of a business-relevant action in SigID. Each event carries a timestamp, actor, action type, risk level and a hash chaining it to the previous event.
Beispiel · Example
When Ms Schulze changes the IBAN of a supplier, an audit event of type iban.update is created with risk level high and the audit-id of the preceding challenge.
Cross-Links
Audit Hash Chain
The audit hash chain links all audit events cryptographically, so any later change to one event invalidates the following hashes. The result is a non-repudiable proof over the order and integrity of all activity.
Beispiel · Example
During the quarterly export for the auditor, the hash chain is compared against a public anchor (Merkle root). If they match, the audit events have not been tampered with.
Cross-Links
Audit-ID
The audit-id is the unique, publicly referenceable identifier of an audit event. It allows third-party systems (ERP, DMS, audit tooling) to reference the case without exposing internal identifiers.
Beispiel · Example
An invoice in the DATEV export carries the audit-id aud_2026Q2_8h3kf2. The auditor can re-verify it via the SigID audit search at any time.
Cross-Links
C
Challenge
A challenge is the cryptographic prompt sent to the Trust App to confirm a critical action. It carries context data (such as a new IBAN), is bound via dynamic linking and cannot be silently reused.
Beispiel · Example
Before storing a new supplier IBAN, the backend sends a challenge to the user's Trust App. Only after confirmation via passkey is the IBAN persisted.
Cross-Links
D
Document Proof
A document proof is the cryptographic fingerprint of a document, stored inside SigID without requiring the document itself to remain on file. This proves later that a specific file existed at a specific point in time.
Beispiel · Example
After AI extraction of an invoice, SigID only keeps the SHA-256 fingerprint. The PDF can be deleted while later evidence remains verifiable.
Cross-Links
Dynamic Linking
Dynamic linking binds the cryptographic signature of a critical action to the concrete transaction data (amount, recipient, IBAN). A signature is therefore valid only for that specific transaction.
Beispiel · Example
Approving a payment of EUR 12,450 to a particular IBAN signs exactly those values, not an abstract token. Even a one-digit change invalidates the signature.
F
FIDO2
FIDO2 is the open authentication standard behind passkeys and hardware tokens. It replaces passwords with cryptographic key pairs whose private half never leaves the device.
Beispiel · Example
The Trust App uses FIDO2 to sign a challenge inside the device's secure enclave. Phishing replays are impossible by design.
Cross-Links
Fingerprint
A fingerprint is a cryptographic hash that uniquely references the content of a document, IBAN or product. The fingerprint does not allow reconstruction of the source but supports comparison at any time.
Beispiel · Example
A supplier IBAN is stored as an HMAC hash. During every payment SigID compares the new value against the stored fingerprint and alerts on mismatch.
Cross-Links
Four-Eyes Principle
The four-eyes principle requires that critical actions be confirmed by two people. In SigID it is implemented through two consecutive Trust-App signatures.
Beispiel · Example
A payment of EUR 100,000 requires both the accountant's and the managing director's signature. Only then is the final audit event produced.
Cross-Links
H
Handover
A handover is the structured transfer of a responsibility between two identities in SigID, for example during vacation cover or a role change. Every handover is time-bounded, audited and revocable at any time.
Beispiel · Example
The head of procurement goes on parental leave and hands over his role to the deputy for four months. After expiry the handover ends automatically.
Cross-Links
I
IBAN Fingerprint
The IBAN fingerprint is a salted hash of an International Bank Account Number, stored in SigID instead of the plain IBAN. It enables target-actual comparisons without keeping the IBAN in clear text permanently.
Beispiel · Example
On first verification of a supplier, the IBAN fingerprint is stored. If someone later tries to register a different IBAN the fingerprints differ and a challenge is required.
Cross-Links
Idempotency Key
An idempotency key is a unique value that API clients pass with each write operation. Retries with the same key return the same result without re-executing the operation.
Beispiel · Example
After a network timeout the ERP retries the same POST /v1/verifications call with idempotency key inv-2026-04-117. SigID recognises the key and returns the original result.
K
KYB
KYB stands for Know Your Business, i.e. the verification of a business partner organization against commercial register, address and representation data. In SigID a successful KYB check yields at least Trust Level T2.
Beispiel · Example
During onboarding of a new supplier, SigID reconciles register extract, address and representation in one step. The supplier reaches Trust Level T2.
Cross-Links
M
Membership
A membership describes the affiliation of an identity to an organization or team within SigID. It defines roles, scopes and visibilities.
Beispiel · Example
Ms Koehler holds a membership with the role Accounting in the organization Mueller GmbH and only sees cases belonging to that organization.
Cross-Links
P
Passkey
A passkey is a FIDO2/WebAuthn key pair that replaces passwords. The private key stays on the device, the public part is registered with the SigID backend.
Beispiel · Example
Instead of a password, the user signs in via Face ID and passkey. The login is phishing-resistant because the domain is part of the signature.
Product Check
A product check is the authenticity and provenance verification of a batch or single product in SigID. It binds serial code, audit event and multi-scan detection into a trust statement.
Beispiel · Example
A pharmacist scans the serial code of a medication. SigID returns manufacturer, batch number and scan history and warns that the package has been verified for the third time.
Cross-Links
R
Risk Level
The risk level of an action determines whether a Trust-App signature is required. Actions such as IBAN change, new admin role or API key creation carry risk level high and always require dynamic linking.
Beispiel · Example
Read access to a supplier master record has risk level low. Changing the IBAN of the same supplier has risk level high and requires a confirmed challenge.
Cross-Links
T
TAN
A TAN (transaction number) is a classic one-time code, often delivered by SMS or generator. SigID uses TANs only as a low-trust fallback because SMS TAN is not hardened against SIM swap and phishing.
Beispiel · Example
When a smartphone is changed and the Trust App is not yet installed, a TAN can bridge the login transition. For critical actions a TAN is never sufficient.
Trust App
The Trust App is SigID's mobile companion app that confirms critical actions via passkey and dynamic linking. It keeps the keys in the secure enclave and is the single point where challenges are finally signed.
Beispiel · Example
When changing an IBAN the user receives a push notification in the Trust App. Recipient and IBAN are shown in clear text and confirmed via Face ID.
Cross-Links
Trust Level (T0-T5)
Trust Level describes the verification grade of an identity, IBAN or organization in SigID. The scale ranges from T0 (unverified) through T2 (KYB) to T5 (multi-signed representation with audit hash).
Beispiel · Example
A new supplier starts at T0, reaches T2 by commercial register reconciliation and after a first signed payment relationship moves to T3.
Cross-Links
V
Verification
Verification is the umbrella term for any audited check in SigID against third-party sources or cryptographic evidence. Every verification produces at least one audit event and can raise the trust level of a subject.
Beispiel · Example
An IBAN verification reconciles supplier, register holder and IBAN fingerprint in a single step. The outcome updates the supplier's trust level.
Cross-Links
W
WebAuthn
WebAuthn is the W3C browser API for FIDO2 authentication. It allows web applications to create, store and use passkeys across platforms.
Beispiel · Example
The SigID marketing site supports registration via WebAuthn. Browser and operating system guide the user through Face ID or hardware key.
Webhook
A webhook is an outbound HTTP callback to a customer-configured endpoint whenever an event occurs in SigID (such as verification.completed). Every webhook is signed and delivered idempotently.
Beispiel · Example
As soon as a supplier verification finishes, SigID calls the ERP endpoint with the audit event. The ERP verifies the signature and updates its state.
Cross-Links
Missing a term?
We welcome additions — drop us a short note.