How can TimeProof timestamp my file without seeing it?

TimeProof doesn't need your file — it only needs the hash. The SHA-256 hash is a 64-character fingerprint that uniquely identifies your file but reveals nothing about its contents. Computing this hash happens entirely in your browser using the Web Crypto API. Only the hash (64 characters) is sent to TimeProof's servers, not the file itself (which could be gigabytes).

What is the Web Crypto API?

The Web Crypto API is a browser-native interface for cryptographic operations, standardized by the W3C. It provides hardware-accelerated SHA-256 hashing that runs entirely in your browser's sandbox — no extensions, plugins, or downloads needed. It's the same API that secures HTTPS connections, password hashing, and other security-critical browser operations.

Can TimeProof reverse the hash to see my file?

No. SHA-256 is a one-way function — computing the hash from a file is easy, but going from hash back to file is computationally infeasible. Even with unlimited computing power, you can't reconstruct a file from its hash. The hash reveals nothing about file contents, size, type, or name.

What about network inspection?

All communication between your browser and TimeProof's servers uses HTTPS (TLS encryption). Even if someone inspects network traffic, they see encrypted data. But more importantly, the file data never enters the network request — only the 64-character hash is transmitted. There's nothing to intercept.

Can I verify that my file isn't being uploaded?

Yes. Open your browser's Developer Tools (F12), go to the Network tab, and watch what happens when you hash a file. You'll see a small request containing only the hash string — no file data. The request size will be a few hundred bytes regardless of whether your file is 1KB or 10GB.

Client-Side Hashing: Why Your Files Never Leave Your Device

The Privacy Architecture

Most online services that process your files require you to upload them. Cloud storage, document signing, image editing — they all need access to your actual data.

TimeProof is fundamentally different. The service needs only one thing from your file: its SHA-256 hash — a 64-character hexadecimal string that uniquely identifies the file.

This hash is computed entirely in your browser before anything is sent to TimeProof’s servers.

How Client-Side Hashing Works

Step 1: File Selection

You drag a file onto the TimeProof interface or click to browse. The file is loaded into your browser’s memory — a local operation that doesn’t involve any network request.

Step 2: Hash Computation

The browser’s Web Crypto API processes the file:

// Simplified version of what happens
const buffer = await file.arrayBuffer();
const hashBuffer = await crypto.subtle.digest(
  'SHA-256', buffer
);
const hashArray = Array.from(new Uint8Array(hashBuffer));
const hashHex = hashArray
  .map(b => b.toString(16).padStart(2, '0'))
  .join('');
// Result: 64-character hex string like
// "e3b0c44298fc1c149afbf4c8996fb924..."

This runs entirely in your browser’s JavaScript runtime. The Web Crypto API uses your device’s native cryptographic hardware when available, making it fast even for large files.

Step 3: Hash Transmission

Only the 64-character hex string is sent to TimeProof’s API. The request payload is approximately 200 bytes — the same size regardless of whether your file is a 50KB document or a 50GB video.

Step 4: File Stays Local

Your file remains in browser memory only for the duration of the hash computation. It’s never serialized, never attached to a network request, never stored in any cache.

What This Means for You

Confidential documents are safe

Timestamping a confidential business plan, an unreleased product design, or a legal document doesn’t expose it to any third party. TimeProof’s servers literally cannot access your file because it was never transmitted.

Large files work fine

Hashing a 10GB video file produces the same 64-character hash as hashing a 10KB text file. The hash computation takes longer for larger files (proportional to file size), but the network transmission is identical — just the hash.

No storage costs

Since files aren’t uploaded, there are no storage costs. This is why TimeProof can support low-cost scheduled and instant timestamping through a unified credit system - the infrastructure only needs to handle small hash values, not the files themselves.

Offline verification is possible

Since you keep your original file, you can re-compute its hash at any time using any SHA-256 tool — online or offline. Your file is the key, and you hold it.

The Web Crypto API

The Web Crypto API (window.crypto.subtle) is a W3C standard implemented in all modern browsers:

Browser	Support
Chrome	Full (since v37)
Firefox	Full (since v34)
Safari	Full (since v11)
Edge	Full (since v79)

The API provides:

Hardware acceleration: Uses CPU’s AES-NI instruction set when available
Sandbox isolation: Runs in the browser’s security sandbox
Async processing: Non-blocking computation that doesn’t freeze the UI
Standard compliance: Produces identical hashes to OpenSSL, sha256sum, Python’s hashlib, and every other compliant implementation

Performance benchmarks

File Size	Approximate Hash Time
1 MB	Under 10ms
100 MB	~200ms
1 GB	~2 seconds
10 GB	~20 seconds

These times vary by device CPU, but the Web Crypto API is remarkably fast due to hardware acceleration.

Verifying It Yourself

Don’t take our word for it. You can verify that client-side hashing works as described:

Method 1: Browser Network Tab

Open Developer Tools (F12 in most browsers)
Go to the Network tab
Hash a file in TimeProof
Inspect the outgoing request — you’ll see a small JSON payload containing only the hash, metadata, and authentication token. No file data.

Method 2: Cross-Check the Hash

Hash a file using TimeProof’s web interface
Hash the same file using a command-line tool:
- Windows: certutil -hashfile yourfile SHA256
- macOS/Linux: sha256sum yourfile
- Python: python -c "import hashlib; print(hashlib.sha256(open('yourfile','rb').read()).hexdigest())"
The hashes will be identical — proving TimeProof computed the same standard SHA-256 hash

Method 3: Disconnect and Hash

Load the TimeProof web interface
Disconnect from the internet (airplane mode)
Select a file to hash
The hash will still be computed — because it happens locally
(The timestamp step will fail because it needs the server, but the hash computation works offline)

Security Properties

Zero-knowledge of file contents

TimeProof’s servers have zero knowledge of your file’s contents, format, name, or purpose. They receive a 64-character hash that could represent any file in existence.

No data breach risk for file contents

Since files are never transmitted or stored, a breach of TimeProof’s servers would not expose any user files. The hashes stored in the database reveal nothing about the underlying files.

Tamper-evident by design

If anyone modifies your file by even a single bit, the hash changes completely (SHA-256’s avalanche effect). This means the file either matches the hash perfectly or it doesn’t — there’s no partial match or “close enough.”

Standard cryptography

SHA-256 is not TimeProof’s invention. It’s a NIST standard (FIPS 180-4) used universally in security: HTTPS certificates, Bitcoin, password hashing, file integrity checking, digital signatures, and more. Its security properties are extensively studied and trusted by the global cryptographic community.

Client-Side Hashing: Your Files Never Leave Your Device