• Scope-controlled contract management

Build Fast. Protect Hard. Dominate.

ScopeGuard gives freelancers and agencies a clear scope builder, signed client portal, request reviews, and change orders that protect margins without awkward back-and-forth.

Build Fast. Protect Hard. Dominate. — and keep every signing decision auditable with mutual OTP verification, cryptographic hashes, and a paper trail designed for real audits.

Share on X Share on LinkedIn

const contract = {
  scope: "locked",
  hash: "sha256..."
}

API Requests

42,891/min

Connected

Database

Connected

Lock scope before the work starts

Turn fuzzy deliverables into a signed, auditable agreement clients can review without creating an account.

Detect drift as requests arrive

Review every new ask against the approved scope and record the commercial decision with a developer note.

Recover revenue with one click

Generate professional change orders fast enough to use them in the moment, not after the damage is done.

How ScopeGuard works

From scope to signature—without drift

Every workflow step is tied to a signed snapshot, recorded events, and strict participation checks. That means fewer surprises when a “small change” becomes a revenue problem.

1. Lock scope early

Draft and store a content snapshot

Create a contract with a structured snapshot (TipTap content). When you save, ScopeGuard computes a SHA-256 hash so later signing references an auditable version.

2. Review drift as requests arrive

Track decisions with a chain of custody

As scope requests come in, each decision produces an amendment workflow. The backend ties the workflow to JWT-verified identity and stores signature/audit metadata.

3. Sign safely with OTP

Both parties must verify

Signing uses one-time codes. Both freelancer and client must verify OTP before the contract/amendment becomes active. That prevents “one-sided lock-in” and ensures mutual consent.

Production-ready foundations (and SSO-ready auth)

Login is handled through Supabase OAuth. Your access token is verified server-side (JWKS for ES256). The backend syncs the user into PostgreSQL and assigns workspace role metadata.

OTP signing prevents accidental or one-sided activation.
Audit metadata is recorded alongside signature events.
Contract hash chains make it easier to detect drift over time.

Quick start

Get to value in minutes

Go to dashboard See pricing

Security and SSO-ready access

ScopeGuard uses Supabase Auth for identity and verifies JWTs server-side using JWKS (ES256) or legacy HS256. This means your backend can securely trust your logged-in identity before it allows contract or signature actions.

If you configure OAuth providers in Supabase, you can enable “SSO-ready” login buttons across the app. For deeper OAuth background, see the Supabase Auth guide.

OTP verification

Mutual verification

Signing can only finalize after both parties verify OTP for the correct entity. This prevents one-sided activation and keeps consent auditable.

Audit trail

Events you can review

Actions like OTP sent, OTP verified, and signing finalized are stored with participant identity and optional metadata for later review.

FAQ

Answers to common questions about OTP signing, auditability, and SSO.

Do both parties really need to verify OTP?

Yes. The API enforces mutual verification before a contract/amendment becomes active. This prevents one-sided “lock-in” and keeps consent auditable.

Is ScopeGuard SSO-ready?

ScopeGuard is SSO-ready via Supabase OAuth providers. The backend verifies your JWT with ES256 JWKS (server-side). Add the identity providers you want in Supabase, then enable them in the app via environment settings.

Where is my data stored?

Business data (contracts, amendments, signatures, audit metadata) is stored in your configured PostgreSQL database via `DATABASE_URL`. Supabase is used for authentication only.