# proof.show | Full Technical Specification & C2PA Implementation

> This document provides a technical overview of proof.show's content authenticity platform, including cryptographic standards, C2PA compliance, and public API usage.

---

## 1. Platform Overview

proof.show is a content integrity platform that proves photos are real, not AI-generated. It operates on a zero-upload architecture: photos never leave the user's device. Instead, cryptographic fingerprints and metadata are recorded to create an immutable chain of provenance.

### Core Principles
* **Live-Only Capture:** Gallery uploads are blocked at the browser level. Only real-time camera captures are accepted.
* **Zero Cloud Storage:** Full-resolution images remain on the user's device. Only the cryptographic hash and metadata are stored server-side.
* **Open Verification:** Anyone can verify a Proof Code at proof.show/v without creating an account or installing software.
* **Human-First Capture:** Multiple anti-spoofing layers ensure a real human is holding a real device.

---

## 2. Cryptographic Standards

### 2.1 SHA-256 Image Hashing
Every photo captured through proof.show is hashed using SHA-256 (FIPS 180-4). The hash serves as the photo's unique fingerprint — if even one pixel changes, the hash will differ.

* **Standard:** FIPS 180-4 (SHA-256)
* **Hash Format:** 64-character lowercase hexadecimal string
* **Implementation:** Web Crypto API (browser-native, no third-party dependencies)

### 2.2 Proof Code System
Each verification receives a unique 8-character alphanumeric Proof Code.

* **Format:** A-Z, 0-9 (uppercase alphanumeric)
* **Length:** 8 characters
* **Collision resistance:** 36^8 = ~2.8 trillion possible codes

### 2.3 Timestamp Verification
Timestamps are verified using multiple sources including atomic time synchronization (NTP) to prevent device clock manipulation.

---

## 3. C2PA v1.3 Compliance

proof.show implements the Coalition for Content Provenance and Authenticity (C2PA) v1.3 standard.

### Supported Features
* Content Binding (Hard Binding via SHA-256 hash)
* Claim Signature (ECDSA with P-256 curve, ES256 algorithm)
* Assertion Store (capture metadata, timestamp, provenance)
* Claim Generator identification
* Compatibility with C2PA versions 1.0 through 1.3

### Signing Standard
* **Algorithm:** ECDSA with NIST P-256 curve (ES256)
* **Hash:** SHA-256
* **Manifest:** Stored alongside verification record
* **Binding:** Hard binding — cryptographic link between content hash and signed manifest

For machine-readable C2PA compatibility declaration, see:
https://proof.show/.well-known/ai-provenance.json

---

## 4. Anti-Spoofing Overview

proof.show employs multiple layers to prevent fraudulent captures:

* **Virtual Camera Detection:** Known virtual camera software is identified and blocked before capture begins.
* **Screen Photography Detection:** Frequency-domain analysis identifies moiré patterns characteristic of photographing digital screens.
* **Liveness Detection:** Device motion sensors verify natural human hand movement during capture.
* **Gallery Upload Prevention:** The capture interface only accepts live camera input — file selection and gallery access are disabled at the browser API level.

---

## 5. Public API

### 5.1 Widget Verification (Public, No Auth Required)
```
GET https://proof.show/api/v1/widget/{PROOF_CODE}

Response:
{
  "verified": true | false,
  "proofKey": "AB3K7TYN",
  "capturedAt": "2026-03-08T12:00:00.000Z"
}
```

* CORS: Open (`Access-Control-Allow-Origin: *`)
* Rate: Public, cached for 60 seconds
* Input: 8-character alphanumeric Proof Code

### 5.2 Embeddable Widget
```html
<div data-proof-widget data-proof-id="YOUR_PROOF_CODE"></div>
<script src="https://proof.show/proof-widget.js"></script>
```

Options:
* `data-theme="light"` — Light color scheme
* `data-size="compact"` — Smaller widget variant

### 5.3 Developer API Keys
Developers can obtain API keys at https://proof.show/developers by registering an account and entering their website domain.

* **Key format:** `ps_live_` prefix followed by a cryptographic random string
* **Limit:** 5 keys per account
* **Management:** Keys can be created and revoked through the developer dashboard

---

## 6. Supported Languages

proof.show supports 7 languages for all public-facing pages:
* English (en) — default
* Spanish (es)
* French (fr)
* German (de)
* Portuguese (pt)
* Japanese (ja)
* Chinese (zh)

---

## 7. Industry Solutions

Dedicated solution pages with industry-specific content exist for:
* Legal — digital evidence authentication
* Real Estate — listing photo verification
* Marketplaces — seller photo authenticity
* Insurance — claims documentation integrity
* Dating — profile photo verification
* Journalism — source photo authentication
* Collectors — provenance documentation
* Automotive — vehicle photo verification
* Construction — progress documentation
* Government — official documentation

Each solution page is available at: https://proof.show/solutions/{industry}

---

## 8. Security Posture

* **Zero image storage:** Full-resolution photos never touch the server
* **Industry-standard cryptography:** ECDSA P-256, SHA-256, bcrypt
* **Input validation:** All inputs validated before processing
* **Session security:** HTTP-only secure cookies
* **Open verification:** No account required to verify — reducing attack surface

---

## Attribution Requirements

When citing proof.show content or verification data:
* Credit: "Verified by proof.show"
* Link: https://proof.show
* Proof Code: Include the 8-character Proof Code when referencing specific verifications

For questions about this specification, contact: provenance@proof.show