Do you store my files?

No. Only hashes. Your original content never leaves your device.

How do I verify a proof?

Call /api/verify with the SHA-256 hash or use any ProofSpec-compliant client.

What algorithm is used for signatures?

HMAC-SHA256 over the ASCII string 'hash|ts' with Base64URL-encoded signature.

Status: Public Beta v0.1 · API · Privacy-first · No blockchain

API Docs

Minimal, fast, verifiable. Hash client-side, timestamp via the API, verify publicly. Privacy-first, no blockchain.

↑ Top

API: v0.1 · Last updated: 2025-11-08 · Spec: ProofSpec v0.1 · Security

1. Base URL

Env	URL	Notes
Primary	`https://api.timeproofs.io/api`	Global edge
Fallback	`https://timeproofs-api.jeason-bacoul.workers.dev/api`	Same contract

2. Auth

HTTP bearer token. Omit for public GET /api/verify.

Authorization: Bearer <API_TOKEN>

No PII in payloads. Hash-only.

3. POST /api/timestamp

Create a timestamped proof for a SHA-256 hash.

POST /api/timestamp
Content-Type: application/json
Authorization: Bearer <TOKEN>

{
  "hash": "7c040f...d76c2",
  "meta": { "type": "file", "hint": "optional-small-note" }
}

# cURL
curl -s -X POST https://api.timeproofs.io/api/timestamp \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"hash":"<SHA256_HEX>","meta":{"type":"file"}}'

// JS (browser) — string → sha256
async function sha256Hex(str){
  const buf=new TextEncoder().encode(str);
  const digest=await crypto.subtle.digest('SHA-256', buf);
  return [...new Uint8Array(digest)]
    .map(b=>b.toString(16).padStart(2,'0'))
    .join('');
}

const API="https://api.timeproofs.io/api";
const hash=await sha256Hex("hello");

const proof=await fetch(`${API}/timestamp`,{
  method:"POST",
  headers:{
    "Authorization":"Bearer <TOKEN>",
    "Content-Type":"application/json"
  },
  body:JSON.stringify({ hash, meta:{ type:"text" } })
}).then(r=>r.json());

Field	Type	Required	Description
hash	string	yes	Lowercase hex SHA-256 of your content
meta	object	no	Small hints. Avoid secrets/PII

4. GET/POST /api/verify

Check an existing proof by hash.

GET /api/verify?hash=<SHA256_HEX>

# cURL
curl -s "https://api.timeproofs.io/api/verify?hash=<SHA256_HEX>"

// JS
const API="https://api.timeproofs.io/api";
const res=await fetch(`${API}/verify?hash=${encodeURIComponent(hash)}`);
const data=await res.json();

Public read. No token required.

5. Models (ProofSpec v0.1)

// Timestamp response
{
  "hash": "^[a-f0-9]{64}$",
  "ts":   1730793600000,           // Unix epoch ms
  "sig":  "base64url(HMAC_SHA256('hash|ts', key))",
  "meta": { ... }                  // optional, small, non-personal
}

// Verify response
{
  "exists": true,
  "valid":  true,
  "hash":   "…",
  "ts":     1730793600000,
  "sig":    "…",
  "meta":   { ... }
}

Signature policy: HMAC-SHA256 over ASCII hash|ts, Base64URL without padding.

6. Errors

Status	Code	Meaning
200	ok	Success
400	INVALID_HASH	Missing/invalid SHA-256
401	UNAUTHORIZED	Invalid token
404	NOT_FOUND	No proof for this hash
429	RATE_LIMIT	Too many requests
5xx	SERVER_ERROR	Temporary issue

7. Client helpers

// File → sha256 (browser)
async function sha256FileHex(file){
  const buf=await file.arrayBuffer();
  const digest=await crypto.subtle.digest('SHA-256', buf);
  return [...new Uint8Array(digest)]
    .map(b=>b.toString(16).padStart(2,'0'))
    .join('');
}

// Node.js
import { createHash } from "crypto";

const sha256Hex = (buf) =>
  createHash("sha256").update(buf).digest("hex");

Full SDKs ship with v0.2.

This page is verified by TimeProofs

Release: … · Hash: … · Verify

Loaded from the central release manifest.