The worst part was that the verification still returned true.
I had the Sign record open, the onchain attestation sitting there with that calm, hard-to-argue-with look ledger entries get when everyone in the room wants the discussion to be over. Schema intact. Issuer intact. Reference intact. On Sign, hybrid attestations are built to feel efficient exactly like that. Keep the attestation legible. Keep the schema queryable. Push the heavier payload somewhere else so the system does not drag every serious record fully onchain like a punishment.
Normal day, that makes perfect sense.
This was not a normal day.
A benefits exclusion had turned into a formal dispute. Not Twitter noise. Not product feedback. A real administrative fight. Someone wanted the underlying packet that justified the attestation — the actual support bundle, the thing with the dates and category evidence and whatever else had made the original judgment look settled the first time around. That bundle was not onchain. Only the Sign attestation anchor was.
Which meant the room split immediately into two incompatible moods.
One side kept pointing at the attestation. It verifies. The record exists. Sign shows the issuer, the schema, the reference path. What exactly is the problem?
The other side kept asking for the payload.
Not the hash.
Not the URI.
The actual file set.
That is where Sign’s hybrid architecture stops feeling like elegant infrastructure and starts feeling like a choice you made on a cheaper afternoon coming back with legal weight attached to it. Because On Sign, verifiability and payload location can be separated cleanly enough for the system to keep moving long after the human argument has shifted almost entirely into the offchain portion.
And once that happens, the missing part becomes the whole dispute.
The attestation was still there. That was almost the irritating part. Sign’s record layer had done its job. Nobody was alleging forgery. Nobody was saying the schema broke. The claim was narrower and nastier: the decisive evidence lived outside the chain, and now the people challenging the decision wanted more than proof that a record once existed. They wanted the record to feel institutionally permanent.
Those are not the same standard.
IPFS can make a payload available. Sometimes very available. Until availability starts sounding like a promise nobody actually wrote down. Arweave feels heavier, more deliberate, which is probably why Sign’s docs push it when permanence matters. But plenty of real programs still reach for the lighter path first because cost, speed, habit, budget, whatever the right excuse is. Then months later somebody opens a dispute and suddenly everyone speaks as if “stored somewhere retrievable” and “preserved like evidence” were always interchangeable.
They were not.
So now you get the miserable hybrid-attestation scene. On Sign, the attestation still verifies. The reference still points. Maybe the payload is slow to surface. Maybe a gateway is flaky. Maybe the file reappears after enough poking, which somehow makes the whole thing feel worse, not better. Because the issue is no longer only whether the data can be fetched. It is whether the architecture ever guaranteed the kind of permanence this dispute is now demanding from it.
That is the operational bruise hiding inside Sign’s scalability story. Sign’s hybrid design lets the record stay portable and efficient. Fine. Useful, even. But once the contested truth lives in the offchain payload, the chain is no longer carrying the whole institutional burden people thought the word “attestation” was carrying for them.
So the verification stays green. The dispute stays open. And the question nobody likes answering out loud is the one sitting underneath the whole workflow now:
if On Sign the attestation is permanent enough to verify, but the payload is where the case actually lives, what exactly did permanence apply to?