Sign a PDF →

Lock a PDF Read-Only — Free, In Your Browser

No account. No upload. Just the tool.

A PDF is a fundamentally editable format. Drop one into Acrobat and any reader can fill the form fields, add sticky notes, draw on it, change the metadata. That’s a feature most of the time — and a problem when you need to send a file that looks finalized. Signegy locks a PDF to a defaults-read-only state in your browser. Free, no signup, no upload. Drop the file, click lock, download the result.

What This Does

Three transformations, in order:

  1. Flatten form fields. Any AcroForm fields with values get those values baked into the page content as permanent text or appearance marks. The editable widget is removed. The visible page looks the same; the field is no longer editable via the form UI.
  2. Strip annotations. Every page has its Annots dictionary removed. That dictionary is where sticky notes, freehand markup, highlights, link overlays, comment threads, and stray signature widgets live. Removing it is the cleanest way to declare “no overlays.”
  3. Set XMP rights metadata. A fresh Metadata stream is attached to the document catalog with xmpRights:Marked = True and a UsageTerms entry that reads “read-only via Signegy — forms flattened, annotations stripped.” Acrobat, Preview, and a growing number of browser viewers surface this in document properties.

The file is saved with a _locked.pdf suffix and downloaded directly from your browser. The original file isn’t touched.

What This Is Not

This is not encryption. There is no password. A user with Adobe Acrobat Pro, qpdf, pdftk, or any other full-featured PDF editor can still open the locked file and modify the underlying content. The XMP rights tag is a signal, not a barrier.

We’re explicit about this because the alternative — pretending a flatten + annotation strip is “security” — sets users up to leak confidential data. If you need to prevent a determined reader from extracting or modifying content, you need real password-based encryption. Adobe Acrobat Pro can apply it directly, qpdf can apply it from the command line, and most server-side PDF libraries can apply it in code.

When This Is the Right Tool

  • You’re sending a filled-out form back to the originator and want it clear that the values are final.
  • You’re publishing a PDF (a report, a policy, a contract) where readers default to view, not edit.
  • You want to strip stale annotations and form widgets from a file that’s been through multiple rounds of review.
  • You want a clear “this is the canonical version” signal in document properties.
  • You’re chaining tools — lock the file, then sign it, then send.

When You Need Something Else

  • Confidential data that must not be exfiltrated. Use full PDF encryption. Adobe Acrobat Pro, qpdf, or a server-side library will give you password-based AES encryption. This tool doesn’t.
  • Legal evidence chain. Use Signegy’s signing tool, which produces a verifiable audit certificate with a SHA-256 hash of the signed file. That’s a tamper-evident record — anyone can verify whether a file matches the cert without trusting Signegy.
  • Just want the file smaller. Compress PDF — flattening can shrink the file slightly (removed widgets) but isn’t a real compression pass.

How to Lock a PDF

  1. Drop your PDF. The tool accepts any PDF that pdf-lib can parse — including most files Acrobat refuses, since we use tolerant parsing.
  2. Wait for the parse. A multi-page form takes a moment because each field has to be flattened individually. Most files lock in under a second.
  3. Review the summary. The tool reports how many fields it flattened and how many annotations it removed. If both are zero, the file had no editable surfaces to begin with — locking still adds the XMP rights tag.
  4. Download. The file is saved with a _locked.pdf suffix.
  5. Optional: chain into another tool. After saving, the chain banner offers Sign and Compress. The bytes are passed through without re-uploading.

How It Works

Under the hood, this is straight pdf-lib. The full sequence:

const pdf = await PDFDocument.load(bytes, { ignoreEncryption: true });

// 1. Flatten any AcroForm — wrap in try/catch since many PDFs have no form
try {
  pdf.getForm().flatten();
} catch { /* no form, keep going */ }

// 2. Remove annotations from every page
for (const page of pdf.getPages()) {
  page.node.delete(PDFName.of('Annots'));
}

// 3. Embed an XMP packet with xmpRights:Marked
const xmpStream = pdf.context.flateStream(buildXmpPacket(), {
  Type: 'Metadata', Subtype: 'XML',
});
pdf.catalog.set(PDFName.of('Metadata'), pdf.context.register(xmpStream));

const out = await pdf.save({ useObjectStreams: true });

That’s the whole tool. Open the source if you want to verify there’s no upload step — there isn’t. Everything runs in your browser.

Pair With Other Tools

  • Sign PDF — sign the locked file to add a verifiable audit cert on top of the read-only signal.
  • Compress PDF — shrink the locked file before sending.
  • Edit Metadata — set the title, author, and subject before locking so the final document properties look right.
  • Add Watermark — stamp every page with FINAL or DO NOT EDIT before locking.

Signegy provides general information, not legal advice. Consult a qualified legal professional for advice specific to your situation and jurisdiction.

Frequently Asked Questions

Is this encryption?

No. Encryption requires a password and a working browser-side encryption library, and there isn't a reliable one we can ship today (we tested every npm option in Phase 1B; all silently no-op the password). What this tool does instead: flatten form fields so values can't be edited via the form UI, remove annotations so sticky notes and freehand markup are stripped, and tag the document with XMP rights metadata that says read-only. A determined user with Acrobat Pro, qpdf, or any PDF editor can still open the file and modify the underlying content. If you need real password protection, see the Adobe / qpdf note further down.

What exactly does locking change in the PDF?

Three things. (1) Every AcroForm field is flattened — the field's current value gets baked into the page content as plain text or marks, and the editable widget is removed. (2) Every page's Annots dictionary is removed entirely, dropping sticky notes, highlights, freehand drawings, link overlays, comment threads, and signature widgets. (3) An XMP metadata stream is added with xmpRights:Marked = True and a UsageTerms note declaring the file read-only. The visible page content is unchanged.

Will the locked PDF still display correctly?

Yes. Flattening converts editable form values into permanent page content using the field's existing appearance, so what you saw before locking is what gets baked in. Page text, images, vector graphics, and overall layout are untouched. The only visible difference is that filled form fields no longer show a focus outline and annotation overlays (highlights, sticky notes) are gone.

Why bother if it's not encryption?

Two reasons. First: most casual edits happen because Acrobat presents the file as editable. A flattened PDF with no annotations defaults to read-only behavior in Acrobat, Preview, and most browser viewers — the edit tools simply have nothing to grab onto. Second: the XMP rights metadata is a clear signal of intent. A reviewer who opens the file sees in document properties that it's marked read-only via Signegy. That's enough for many workflows where the question is 'is this the canonical version?' and the answer needs to be obvious. For confidential data, use real encryption.

Can I unlock it later?

Not via Signegy — flattening is one-way. Once a form field is baked into the page content there's no original widget to restore. Keep the original file if you might need to edit the form again later. If you only want the read-only signal but want to keep editability, skip locking and use [Edit Metadata](/edit-pdf-metadata) to add custom keywords like 'final' or 'do not edit' instead.