Skip to main content
Prove you wrote the code. Truthlocks creates cryptographic attestations for source code, APIs, documentation, and other digital assets. Protect your intellectual property with SHA-256 hashing and timestamped proof — all without your source code ever leaving your machine.

Why Code Authorship Matters

  • IP disputes: Prove you wrote the code before someone else claims it. Timestamped cryptographic proof is admissible evidence.
  • Open source protection: Protect your contributions before publishing. If someone forks and claims ownership, you have proof.
  • Contract work: Prove delivery dates and authorship to clients with independently verifiable attestations.
  • Portfolio verification: Prospective employers or clients can verify your claimed work is genuinely yours.

How It Works

1

Hash your code locally

Compute SHA-256 of your source file, repository archive, or any artifact. The file content never leaves your machine.
2

Submit the hash

Send the hash, title, and metadata to the Truthlocks API. An attestation is created with your personal signing key.
3

Anchor to transparency log

The attestation is anchored to an append-only, RFC 6962-compatible transparency log with an immutable timestamp.
4

Share the proof

Get a shareable proof URL, embeddable badge, or downloadable certificate.

Protect a Single File (CLI / API)

Hash a source file and submit the attestation: 
# Hash a file locally (macOS/Linux)
HASH=$(sha256sum main.go | awk '{print $1}')

# Submit to Truthlocks API
curl -X POST https://api.truthlocks.com/v1/consumer/mint \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "content_hash": "'$HASH'",
    "title": "main.go — Core Engine v2.1",
    "description": "Primary application entry point and engine logic",
    "file_name": "main.go",
    "content_type": "code",
    "category": "source_code",
    "visibility": "public"
  }'

Protect an Entire Repository

Create a deterministic archive of your repo and hash it: 
# Create a deterministic git archive
git archive --format=tar HEAD | sha256sum | awk '{print $1}'

# Or hash a specific commit
git archive --format=tar <commit-sha> | sha256sum | awk '{print $1}'
Use git archive instead of zipping the directory — it produces deterministic output regardless of filesystem metadata, making the hash reproducible.

Examples

import { createHash } from 'crypto';
import { readFileSync } from 'fs';

// Hash a source file
const content = readFileSync('src/index.ts');
const hash = createHash('sha256').update(content).digest('hex');

// Submit to Truthlocks
const response = await fetch('https://api.truthlocks.com/v1/consumer/mint', {
method: 'POST',
headers: {
'Authorization': 'Bearer ' + token,
'Content-Type': 'application/json',
},
body: JSON.stringify({
content_hash: hash,
title: 'src/index.ts — API Server',
description: 'Main API server entry point',
content_type: 'code',
category: 'source_code',
}),
});

const { attestation_id, content_hash, protected_at, verify_url } = await response.json();
console.log('Proof URL:', verify_url);
console.log('Hash:', content_hash, 'Protected at:', protected_at);

CI/CD Integration

Automate code protection in your CI pipeline. Protect every release:
GitHub Actions
- name: Protect release artifact
  run: |
    HASH=$(sha256sum dist/app.tar.gz | awk '{print $1}')
    curl -X POST https://api.truthlocks.com/v1/consumer/mint \
      -H "Authorization: Bearer $TRUTHLOCKS_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
        "content_hash": "'$HASH'",
        "title": "Release build",
        "description": "Production release artifact",
        "content_type": "code",
        "category": "release"
      }'

Add a Badge to Your README

Show verification status directly in your repository:
Markdown
[![Protected by Truthlocks](https://verify.truthlocks.com/badge/ATTESTATION_ID)](https://verify.truthlocks.com/proof/ATTESTATION_ID)
The badge dynamically shows verification status and is cached for performance. Replace ATTESTATION_ID with the ID returned from the mint endpoint.

Verification

Anyone can independently verify your code authorship:
  1. Hash the original file with SHA-256 (same algorithm used during protection).
  2. Visit the proof URL or call POST /v1/verify with the attestation ID.
  3. The system confirms the hash matches, verifies the cryptographic signature, and checks the transparency log anchor.
# Verify an attestation
curl -X POST https://api.truthlocks.com/v1/verify \
  -H "Content-Type: application/json" \
  -d '{"attestation_id": "b2c3d4e5-..."}'

Security Guarantees

  • Zero-knowledge: Only the hash is transmitted — your source code never leaves your machine.
  • Tamper-proof: Attestations are anchored to an append-only transparency log. Altering the record would break the Merkle tree.
  • Non-repudiable: Each attestation is signed with your personal Ed25519 key. Only you could have created it.
  • Independently verifiable: Proof can be verified without Truthlocks involvement — anyone can check the hash, signature, and log anchor.