TimeProof
Open App

What Is JWS? The Identity Proof Behind Legal-Grade

When TimeProof says 'your identity is cryptographically linked to your timestamp,' this is how. JSON Web Signatures make identity verifiable by anyone, anywhere, without calling us.

Timestamp Your File Now → Explore All Explainers →

No blockchain expertise required.

The Envelope Analogy

Imagine you write a letter and put it in a special envelope. This envelope has two properties:

  1. Anyone can verify it was sealed by you — the envelope has a unique pattern that only your seal creates
  2. If anyone opens or modifies the letter, the seal breaks — any tampering is immediately visible

That’s what a JSON Web Signature does for digital data. TimeProof creates a digital “letter” (a statement about your identity and timestamp), “seals” it with a private key, and anyone can verify the seal using TimeProof’s published public key.

How JWS Works

Step 1: The Claim

TimeProof creates a JSON statement — a set of claims:

{
  "issuer": "https://api.timeprooflabs.com",
  "subject": "user_abc123",
  "timestamp_hash": "e3b0c442...",
  "transaction": "0x7a8b9c...",
  "issued_at": "2025-03-15T14:23:47Z"
}

This statement says: “TimeProof attests that user_abc123 initiated a timestamp for file hash e3b0c442… recorded in transaction 0x7a8b9c…”

Step 2: The Signature

TimeProof signs this statement using its private key — a secret mathematical value that only TimeProof possesses. The signing process uses strong cryptographic algorithms (typically RS256 or ES256) to produce a signature that is:

Step 3: The Combined Token

The statement and signature are combined into a JWS token — typically three parts separated by dots:

eyJhbGciOiJS...    (header: what algorithm was used)
.
eyJpc3MiOiJ0...    (payload: the claims)
.
SflKxwRJSMeK...    (signature: the cryptographic proof)

This token is included in your Legal-Grade evidence bundle.

Step 4: Independent Verification

Any third party can verify the token:

  1. Fetch public keys: Visit https://api.timeprooflabs.com/.well-known/jwks.json
  2. Decode the token: Extract the header, payload, and signature
  3. Verify: Use any JWS library to check the signature against the public key
  4. Result: If the signature verifies, the claims are genuine and unmodified

Self-proving identity

Traditional identity evidence requires testimony: “I am who I say I am.” JWS provides cryptographic proof: “TimeProof verified this person’s identity and signed a statement linking them to this timestamp.”

Independent verification

The verifier (a court, a regulator, a counterparty) doesn’t need to:

They verify using mathematics and a publicly available key. The proof is self-contained.

Tamper-evident

If anyone modifies the attestation — changing the user ID, the hash, the timestamp, or any other claim — the signature immediately becomes invalid. There’s no way to modify a JWS statement without breaking the signature, and there’s no way to create a new valid signature without TimeProof’s private key.

The .well-known/jwks.json Standard

The .well-known directory is an internet standard (RFC 8615) for hosting service metadata at predictable URLs. JWKS (JSON Web Key Set) is the standard format for publishing public keys.

When TimeProof publishes its keys at /.well-known/jwks.json, it follows the same standard used by:

This isn’t proprietary or custom. It’s the same infrastructure that secures billions of authentication transactions daily.

What the JWKS endpoint contains

{
  "keys": [
    {
      "kty": "RSA",
      "kid": "timeproof-2025-01",
      "n": "0vx5aFhS...",
      "e": "AQAB",
      "use": "sig"
    }
  ]
}

This is TimeProof’s public key. Anyone can fetch it. Combined with the JWS token from your evidence bundle, it provides everything needed for verification.

JWS vs Other Approaches

Why not a PDF signed by TimeProof?

PDF signatures use similar cryptography but are tied to specific software (Adobe Reader). JWS is format-agnostic — verifiable using any programming language, any platform, any tool that implements the standard.

Why not blockchain-based identity?

Writing identity information to the blockchain creates permanent, public records of personal data — a privacy nightmare. JWS keeps identity off-chain (in your evidence bundle, under your control) while providing the same cryptographic confidence.

Why not a simple API call to TimeProof?

An API call requires TimeProof to be online and accessible. JWS verification is fully offline — once you have the public key and the token, verification is a local mathematical operation. This means your evidence works even if TimeProof’s servers are temporarily unavailable.

In Practice

As a TimeProof user, JWS works invisibly:

  1. You create a Legal-Grade timestamp
  2. Your evidence bundle includes a JWS file
  3. When you need to prove your identity link, share the bundle
  4. The recipient verifies the JWS using TimeProof’s public key
  5. Verification confirms: TimeProof attested that you, specifically, created this timestamp

No JWS expertise needed. No cryptography knowledge required. The mathematics runs behind the scenes, and the result is simple: your identity is verifiably linked to your timestamp.

Ready to protect your files?

Timestamp any file on the blockchain in seconds. Prove when it existed, prove it hasn't changed.

Try it — drop a file to see its unique SHA-256 fingerprint:

Drop a file here to see its SHA-256 hash

100% local — your file never leaves your browser
Get Started — Packs from $15 → View Pricing

No blockchain expertise required.

Frequently Asked Questions

What is JWS in simple terms?
A JWS is like a tamper-evident seal on a document. TimeProof creates a statement ('this user initiated this timestamp'), signs it with a private key (like a unique stamp that only TimeProof has), and anyone can verify the signature using TimeProof's public key (published at a standard web address). If the signature verifies, the statement is genuine and hasn't been modified.
Why does identity verification use JWS?
JWS provides three properties critical for identity attestation: (1) Authenticity — verifiers can confirm TimeProof issued the attestation, (2) Integrity — any modification to the attestation breaks the signature, (3) Independence — verification requires only TimeProof's public key, available at a standard URL, not any ongoing relationship with TimeProof.
What's the difference between JWS and JWT?
JWT (JSON Web Token) is the data format — a structured way to encode claims (e.g., 'user X initiated this timestamp'). JWS (JSON Web Signature) is the security mechanism — the cryptographic signature that proves the token is genuine. In practice, most JWTs are JWS-signed, and the terms are often used interchangeably.
Do I need to understand JWS to use Legal-Grade?
No. TimeProof handles JWS creation automatically. When you use a Legal-Grade timestamp, the JWS attestation is included in your evidence bundle. You don't need to create, configure, or manage it. Understanding JWS is useful for technical reviewers, but completely unnecessary for everyday use.
How does a third party verify my JWS?
They visit `https://api.timeprooflabs.com/.well-known/jwks.json` to get TimeProof's public keys. They use any JWS verification library (available in every programming language) to check the signature. If it verifies, the attestation is genuine. The entire process takes seconds and requires zero interaction with TimeProof.

Related Pages

Modules

Identity Attestation

How TimeProof uses JWS for identity proof.

Docs

Legal-Grade Package

The evidence bundle that includes JWS attestation.

Explainers

What Is SHA-256?

The hash function that JWS protects.

Protect your work in seconds.

Timestamp any file on the blockchain. No blockchain expertise required.

Get Started — Packs from $15 View Pricing
Built on Polygon SHA-256 Industry Standard Gasless — We Cover All Fees Legal-Grade™ Available