Cryptographic Authority

Public Trust Registry

Every TraceHumanity certificate is digitally signed — like a notary stamping a document. This page is the public list of the cryptographic keys we use to make those signatures.

Anyone can use these keys to independently confirm a certificate is genuine — without trusting our website, our servers, or our staff.

What this proves

The certificate is genuine — issued by TraceHumanity, for the specific work and creator named, on the date shown. The certificate has not been forged or altered since issuance.

What this doesn't prove

Whether the work itself is human-made. That assessment is the job of the certificate's verification level — based on the evidence reviewed at certification time. A signature only proves the certificate exists in the form we issued it.

Active signing keys

Each entry below is one cryptographic identity authorized to issue TraceHumanity certificates. Most platforms have a single primary key; additional keys appear here when keys are rotated or delegated to partner institutions.

TraceHumanity Certification Authority
Issuer ID: tracehumanity-primary
Trust level 5
ECDSA P-256 public key (SPKI / PEM)
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnkwA781EOgzh23hbU1QklRJRbvFG
tpLEYfmvUqlK+WNjYhReAjE84aBqkLzIOYfMI14sGWCX5iNVI50Hg/jqfA==
-----END PUBLIC KEY-----
Registered: 5/21/2026, 11:19:41 AM

For software developers

How to verify a signature yourself

If you're auditing a certificate or building a verification tool, here's exactly how the signatures are constructed. You only need standard cryptography libraries — no TraceHumanity-specific dependencies.

1 · Reconstruct the signed payload
{certificateNumber}|{assetHash}|{level}|{ownerId}|{issuedAt}

Fields, joined with the literal | character:

  • certificateNumber — e.g. TH-2026-001002
  • assetHash — SHA-256 of the original (pre-watermark) file, lowercase hex
  • level — verification level, e.g. LEVEL_3
  • ownerId — the creator's UUID
  • issuedAt — ISO-8601 timestamp normalized through new Date(x).toISOString() (millisecond UTC, e.g. 2026-05-22T23:39:26.571Z)
2 · Verify with ECDSA P-256 / SHA-256

The signature is hex-encoded DER. Use any standard ECDSA library and the public key from the registry above.

import { createVerify, createPublicKey } from 'crypto'

const payload = [
  cert.certificate_number,
  cert.asset.file_hash,
  cert.level,
  cert.owner_id,
  new Date(cert.issued_at).toISOString(),
].join('|')

const v = createVerify('SHA256')
v.update(payload, 'utf8')
const ok = v.verify(createPublicKey(publicKeyPem), cert.signature, 'hex')

Programmatic access

Same data as JSON

If you're writing software that needs to verify certificates automatically — a browser extension, a content-management plugin, a museum's provenance database — fetch the same keys and payload schema as machine-readable JSON from the endpoint below. No authentication required. Treat it as a public ledger.

GET /api/trust-registry →