
kysigned: e-signatures rooted in your email, not a certificate authority
We said we'd start announcing products. Here's the first thing we actually built.
The plan was simple: take an overpriced piece of SaaS, build an open version anyone can fork and a hosted version anyone can just use, and put both out there. The first one we looked at was digital signatures. Signing documents kept costing us far more than it felt like it should, and I wanted to understand why.
It comes down to trust
It comes down to trust, and trust turns out to be the whole business. A signature is only worth anything if it holds up later, if the other side can't credibly dispute it. The big names have spent years and a lot of money earning that confidence, through reputation, audits, and a long history of holding up in court. That hard-won trust is exactly what lets them charge a premium. You pay up because you trust them, and you stay because the alternative is handing something this important to a small provider nobody has heard of. The trust is the moat, and the moat is the price.
So we moved the trust
So we didn't try to out-trust anyone. We're a small open-source project, and earning that kind of confidence takes years and millions. The more useful question was whether you need to trust the provider at all. We figured we could move the trust somewhere the entire world already relies on: the email system. When you sign, your own email provider signs the document and your intent to sign it, using the same DKIM signature that already proves your email really came from you and authenticates billions of messages a day. The proof lives in public archives, never on our servers. We never hold the key, so we couldn't forge a signature or alter a document after the fact even if someone paid us to. We just gather the proof and package it so anyone can verify it themselves, offline, years later, even if we are long gone. You don't have to trust a signature company, big or small. You trust the email system, and you already do.
So we built kysigned. One honest limit, and it is true of every e-signature product: this proves the document was signed by whoever controls the alice@acme.com mailbox, not that the human behind it is who they claim to be. Tying a real person to that mailbox is a separate identity check, the same kind everyone bolts on, and one we can add too.
It's live
If you just need to sign something, kysigned.com is $0.25 a document, no subscription, ready to go, and your first 4 envelopes are free. If you'd rather run your own, the repo is open, Apache-2.0: github.com/kychee-com/kysigned. And if you want to check our claims instead of taking our word, drop any signing record on kysigned.com/verify: the check runs in your browser, offline, and we are not in the trust set.
One thing worth noting is that kysigned, like everything we build, has to run somewhere. The raw pieces are the easy part. The cloud providers already hand you a database, compute, storage, and hosting. What we couldn't find was the layer on top, the one that lets an agent wire it all together and run the whole thing, with room for whatever a given app needs. This one, for instance, needed the raw, unmodified email so we could verify each signature ourselves, which most backends won't hand you. A few good options exist, but none had everything we needed, so we built our own, open source like kysigned: run402, an agent-native backend that all our apps run on. But that's a topic for a post of its own, coming in the next few days.
Kychee builds AI-native voice products and Open SaaS. Write to info@kychee.com.