Open Source Verification
The Trustless Verification Principle
TimeProof’s architecture is built so that you don’t need to trust TimeProof to verify a timestamp. Every piece of the verification chain is publicly accessible and independently verifiable using standard, open source tools.
This is what makes blockchain timestamping fundamentally different from traditional notarization or certificate authorities: the proof doesn’t depend on any company’s honesty, existence, or continued operation.
What You Need
To verify a TimeProof timestamp independently, you need:
| Requirement | Where to Get It |
|---|---|
| The original file | Your local storage |
| Transaction hash | Your PDF certificate |
| Merkle proof (for batch timestamps) | Your PDF certificate or LG package |
| SHA-256 tool | Built into your OS |
| Blockchain access | Any Polygon explorer or node |
No TimeProof library, no proprietary software, no API access.
Step-by-Step Independent Verification
Step 1: Compute the File Hash
Use any SHA-256 implementation:
Linux / macOS:
sha256sum document.pdfWindows PowerShell:
Get-FileHash document.pdf -Algorithm SHA256Python:
import hashlib
with open('document.pdf', 'rb') as f:
print(hashlib.sha256(f.read()).hexdigest())Node.js:
import { createHash, readFileSync } from 'crypto';
const hash = createHash('sha256')
.update(readFileSync('document.pdf'))
.digest('hex');
console.log(hash);OpenSSL:
openssl dgst -sha256 document.pdfAll of these produce the same 64-character hex string for the same file. Pick whichever tool you’re comfortable with.
Step 2: Look Up the Transaction
Using the transaction hash from your certificate, verify it exists on the blockchain:
Option A: Polygonscan
Navigate to https://polygonscan.com/tx/{txHash} and confirm the transaction exists, succeeded, and contains your hash in the input data.
Option B: JSON-RPC (any provider)
curl -X POST https://polygon-rpc.com -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_getTransactionByHash","params":["0xYourTxHash"],"id":1}'Option C: Your own node
If you run a Polygon full node, query it directly. This is the maximum level of independence — you’re not trusting any third-party service.
Option D: ethers.js
import { JsonRpcProvider } from 'ethers';
const provider = new JsonRpcProvider('https://polygon-rpc.com');
const tx = await provider.getTransaction('0xYourTxHash');
console.log(tx);Step 3: Verify the Hash on Chain
For single-file timestamps, the file hash should appear in the transaction’s input data.
For batch timestamps, the transaction contains a Merkle root. You need to verify that your file hash is part of the Merkle tree.
Step 4: Walk the Merkle Proof
If your file was part of a batch, use the Merkle proof from your certificate:
Python implementation:
import hashlib
def verify_merkle_proof(file_hash, proof, root):
"""Verify a SHA-256 Merkle proof."""
current = bytes.fromhex(file_hash)
for sibling_hex, position in proof:
sibling = bytes.fromhex(sibling_hex)
if position == 'left':
combined = sibling + current
else:
combined = current + sibling
current = hashlib.sha256(combined).digest()
return current.hex() == root
# Example usage
file_hash = "e3b0c44298fc1c..."
proof = [
("abc123...", "right"),
("def456...", "left"),
]
merkle_root = "789abc..."
assert verify_merkle_proof(file_hash, proof, merkle_root)JavaScript implementation:
import { createHash } from 'crypto';
function verifyMerkleProof(fileHash, proof, root) {
let current = Buffer.from(fileHash, 'hex');
for (const [sibling, position] of proof) {
const siblingBuf = Buffer.from(sibling, 'hex');
const combined = position === 'left'
? Buffer.concat([siblingBuf, current])
: Buffer.concat([current, siblingBuf]);
current = createHash('sha256').update(combined).digest();
}
return current.toString('hex') === root;
}Step 5: Confirm the Timestamp
The block that contains your transaction has a timestamp — this is the provable “existed before” time. Get the block details:
const block = await provider.getBlock(tx.blockNumber);
const anchoredAt = new Date(block.timestamp * 1000);
console.log(`File existed before: ${anchoredAt.toISOString()}`);Tools Used in This Guide
Every tool referenced above is open source and widely available:
| Tool | License | Purpose |
|---|---|---|
| sha256sum | GNU coreutils (GPL) | Compute SHA-256 hash |
| OpenSSL | Apache 2.0 | Compute SHA-256 hash |
| Python hashlib | Built-in (PSF) | Compute SHA-256 hash |
| Node.js crypto | Built-in (MIT) | Compute SHA-256 hash |
| ethers.js | MIT | Query blockchain |
| web3.py | MIT | Query blockchain |
| curl | MIT/X derivative | HTTP requests |
None of these tools are made by, controlled by, or affiliated with TimeProof.
Smart Contract Verification
The TimeProof smart contract on Polygon may be source-verified on Polygonscan. This means you can:
- Read the actual Solidity source code
- Confirm it matches the deployed bytecode
- Understand exactly what the contract does
- Verify there are no hidden functions or admin overrides
A verified contract is transparent — its behavior is visible to anyone.
JWS Identity Attestation Verification
For Legal-Grade packages with identity attestation:
- The LG package contains a JWS (JSON Web Signature) compact token
- The signing public key is published at
/.well-known/jwks.json - Any standard JWS library can verify the signature:
import * as jose from 'jose';
// Fetch the public key
const jwks = await fetch('https://api.timeprooflabs.com/.well-known/jwks.json')
.then(r => r.json());
// Verify the attestation
const { payload } = await jose.jwtVerify(attestationToken, jwks);
console.log(payload); // { sub: "0x...", verified: true, ... }The jose library is MIT-licensed open source.
Why This Matters
Independent verification means:
- No vendor lock-in — your proofs work without TimeProof
- Legal resilience — a court can verify the proof without relying on a company’s testimony
- Future-proof — as long as the Polygon blockchain exists and SHA-256 isn’t broken, your proofs are valid
- Trustless — verification doesn’t require trusting any party
Related Guides
- Polygonscan Verification — browser-based blockchain verification
- Third-Party Verification — for legal and audit contexts
- Security Architecture — full security model
- What Happens If TimeProof Goes Down? — continuity guarantees
Use the live product for timestamping and verification.
The company site owns the technical reference. The app handles runtime workflows.