Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt

Use this file to discover all available pages before exploring further.

Prove you wrote the code. Truthlocks creates cryptographic attestations for source code, APIs, documentation, and other digital assets. Protect your intellectual property with SHA-256 hashing and timestamped proof — all without your source code ever leaving your machine.

Why Code Authorship Matters

  • IP disputes: Prove you wrote the code before someone else claims it. Timestamped cryptographic proof is admissible evidence.
  • Open source protection: Protect your contributions before publishing. If someone forks and claims ownership, you have proof.
  • Contract work: Prove delivery dates and authorship to clients with independently verifiable attestations.
  • Portfolio verification: Prospective employers or clients can verify your claimed work is genuinely yours.

How It Works

1

Hash your code locally

Compute SHA-256 of your source file, repository archive, or any artifact. The file content never leaves your machine.
2

Submit the hash

Send the hash, title, and metadata to the Truthlocks API. An attestation is created with your personal signing key.
3

Anchor to transparency log

The attestation is anchored to an append-only, RFC 6962-compatible transparency log with an immutable timestamp.
4

Share the proof

Get a shareable proof URL, embeddable badge, or downloadable certificate.

Protect a Single File (CLI / API)

Hash a source file and submit the attestation: 
# Hash a file locally (macOS/Linux)
HASH=$(sha256sum main.go | awk '{print $1}')

# Submit to Truthlocks API
curl -X POST https://api.truthlocks.com/v1/consumer/mint \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "content_hash": "'$HASH'",
    "title": "main.go — Core Engine v2.1",
    "description": "Primary application entry point and engine logic",
    "file_name": "main.go",
    "content_type": "code",
    "category": "source_code",
    "visibility": "public"
  }'

Protect an Entire Repository

Create a deterministic archive of your repo and hash it: 
# Create a deterministic git archive
git archive --format=tar HEAD | sha256sum | awk '{print $1}'

# Or hash a specific commit
git archive --format=tar <commit-sha> | sha256sum | awk '{print $1}'
Use git archive instead of zipping the directory — it produces deterministic output regardless of filesystem metadata, making the hash reproducible.

Examples

import { createHash } from 'crypto';
import { readFileSync } from 'fs';

// Hash a source file
const content = readFileSync('src/index.ts');
const hash = createHash('sha256').update(content).digest('hex');

// Submit to Truthlocks
const response = await fetch('https://api.truthlocks.com/v1/consumer/mint', {
method: 'POST',
headers: {
'Authorization': 'Bearer ' + token,
'Content-Type': 'application/json',
},
body: JSON.stringify({
content_hash: hash,
title: 'src/index.ts — API Server',
description: 'Main API server entry point',
content_type: 'code',
category: 'source_code',
}),
});

const { attestation_id, content_hash, protected_at, verify_url } = await response.json();
console.log('Proof URL:', verify_url);
console.log('Hash:', content_hash, 'Protected at:', protected_at);

CI/CD Integration

Automate code protection in your CI pipeline. Protect every release:
GitHub Actions
- name: Protect release artifact
  run: |
    HASH=$(sha256sum dist/app.tar.gz | awk '{print $1}')
    curl -X POST https://api.truthlocks.com/v1/consumer/mint \
      -H "Authorization: Bearer $TRUTHLOCKS_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
        "content_hash": "'$HASH'",
        "title": "Release build",
        "description": "Production release artifact",
        "content_type": "code",
        "category": "release"
      }'

Add a Badge to Your README

Show verification status directly in your repository:
Markdown
[![Protected by Truthlocks](https://verify.truthlocks.com/badge/ATTESTATION_ID)](https://verify.truthlocks.com/proof/ATTESTATION_ID)
The badge dynamically shows verification status and is cached for performance. Replace ATTESTATION_ID with the ID returned from the mint endpoint.

Verification

Anyone can independently verify your code authorship:
  1. Hash the original file with SHA-256 (same algorithm used during protection).
  2. Visit the proof URL or call POST /v1/verify with the attestation ID.
  3. The system confirms the hash matches, verifies the cryptographic signature, and checks the transparency log anchor.
# Verify an attestation
curl -X POST https://api.truthlocks.com/v1/verify \
  -H "Content-Type: application/json" \
  -d '{"attestation_id": "b2c3d4e5-..."}'

Security Guarantees

  • Zero-knowledge: Only the hash is transmitted — your source code never leaves your machine.
  • Tamper-proof: Attestations are anchored to an append-only transparency log. Altering the record would break the Merkle tree.
  • Non-repudiable: Each attestation is signed with your personal Ed25519 key. Only you could have created it.
  • Independently verifiable: Proof can be verified without Truthlocks involvement — anyone can check the hash, signature, and log anchor.