B2C Content Protection Guide

How It Works

1. Sign up at verify.truthlocks.com/signup. A personal issuer and signing key are auto-provisioned for your account.
2. Upload content on the Protect page. Your file is hashed client-side (SHA-256) — the file itself never leaves your browser.
3. AI metadata is automatically extracted (category, description, content type) to enrich your protection record.
4. Mint attestation — the hash and metadata are signed by your personal issuer and anchored to the transparency log.
5. Share proof via a public proof page, embeddable badge, or downloadable certificate.

Protecting Content via the API

Compute the SHA-256 hash of your content client-side, then call the mint endpoint:

POST /v1/consumer/mint
Authorization: Bearer <token>
Content-Type: application/json

{
  "content_hash": "e3b0c44298fc1c149afbf4c8...",
  "title": "My Photograph",
  "description": "Sunset photo taken in Big Sur",
  "file_name": "sunset.jpg",
  "file_size": 4521984,
  "content_type": "image",
  "category": "photography",
  "visibility": "public"
}

The response includes your attestation ID and a shareable proof URL:

{
  "protection_id": "a1b2c3d4-...",
  "attestation_id": "b2c3d4e5-...",
  "verify_url": "https://verify.truthlocks.com/proof/b2c3d4e5-...",
  "share_url": "https://verify.truthlocks.com/proof/b2c3d4e5-..."
}

Client-Side Hashing (JavaScript)

The file never leaves your browser. Compute the hash before calling the API:

async function hashFile(file) {
  const buffer = await file.arrayBuffer();
  const hashBuffer = await crypto.subtle.digest("SHA-256", buffer);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  return hashArray.map(b => b.toString(16).padStart(2, "0")).join("");
}

const hash = await hashFile(selectedFile);
// Pass 'hash' as content_hash to POST /v1/consumer/mint

Managing Protections

• List protections: GET /v1/consumer/protections returns all your protected content.
• Toggle visibility: PUT /v1/consumer/protections/{id}/visibility with {"visibility": "public"} or "private".
• Set username: PUT /v1/consumer/me/username to claim a public portfolio URL.
• View stats: GET /v1/consumer/stats for total protections, public count, and verification count.

Embeddable Badges

Add a verification badge to your website, README, or portfolio:

Markdown

[![Protected by Truthlocks](https://verify.truthlocks.com/badge/ATTESTATION_ID)](https://verify.truthlocks.com/proof/ATTESTATION_ID)

HTML

<a href="https://verify.truthlocks.com/proof/ATTESTATION_ID">
  <img src="https://verify.truthlocks.com/badge/ATTESTATION_ID"
       alt="Protected by Truthlocks" />
</a>

The badge dynamically shows "Verified" or "Unverified" status and is cached for 10 minutes.

Downloadable Certificates

Download a formal SVG protection certificate for any attestation:

GET /api/certificate/ATTESTATION_ID         → SVG download
GET /api/certificate/ATTESTATION_ID?format=html  → HTML view

Certificates include the title, category, attestation ID, content hash, date, and a verified seal. Use them for legal evidence, portfolio displays, or print.

Public Portfolio

Set a username to get a public portfolio page at verify.truthlocks.com/portfolio/YOUR_USERNAME. Only protections with visibility: "public" are shown. The portfolio includes OpenGraph metadata for rich social sharing.

Pricing Tiers

• Free: 50 protections/month, SHA-256 hashing, transparency log, shareable links, public portfolio.
• Creator ($9/mo): 500 protections/month, priority processing, custom badges, advanced analytics, API access.
• Pro ($29/mo): Unlimited protections, bulk API, custom certificates, priority support, team collaboration.

Security Model

• Files never leave the browser — only the SHA-256 hash is transmitted.
• Each consumer gets a personal Ed25519 signing key provisioned on signup.
• Attestations are anchored to an append-only transparency log (RFC 6962 compatible).
• Row Level Security isolates all tenant data in PostgreSQL.
• Proofs are independently verifiable without Truthlocks involvement.