Relaystation logo Relaystation
View as Markdown ↓

Trust

Most batons just store and move content. Some need to prove something about it — that a document existed in a certain form at a certain time, or that an append-only log was never quietly rewritten. Baton’s trust layer delivers that as two prepaid feature flags, chosen when the baton is created.

Document-witness

flags.witness — a flat $0.05 feature. When set, Baton signs the baton’s content with its witness key, records the content hash, and flips the baton’s trust state to witnessed. From that point the baton is locked for writes — any further write, by the owner or through a token, is rejected.

A witnessed baton can be verified by anyone, offline:

  • GET /v1/baton/{id}/trust/proof — returns the signed attestation: the content hash, the signature, the witness key id, and the timestamp.
  • POST /v1/baton/{id}/trust/challenge — free and unauthenticated. Submit a candidate copy of the content; Baton tells you whether its hash matches what was witnessed.

Together these let a third party confirm a document is exactly what was sealed, without trusting Relaystation and without an account.

You can order document-witness as a flag at creation, or call POST /v1/baton/{id}/trust/document-witness on an existing baton (the standalone call is the same $0.05). A baton that paid for the witness flag but never fired it is sealed automatically when it expires — you paid for the proof, so you get the proof.

Chain-witness

flags.hashChaining — turns the baton into a tamper-evident hash chain. Every entry stores the hash of its own content, the hash of the previous entry, and a combined entry hash; the chain head is anchored on the baton. Reorder, alter, or drop an entry and the chain no longer verifies.

Chain-witness is creation-only — it cannot be switched on later — and it requires the document-witness flag. A chained baton automatically commits a prepaid witness at creation; when that witness later fires, it signs the chain head, so the signature attests to every entry’s content, order, and writer. Its price scales with the baton’s size.

The LEDGER preset is the convenient way in: it pre-enables hash chaining, so a POST /v1/baton with preset=ledger gives you a tamper-evident append-only log with one call. A chained baton rejects overwrite-style writes — the chain only grows.

Verifying a chain

  • POST /v1/baton/{id}/trust/verify-chain — free. Recomputes the whole chain and confirms every link. Valid on any baton with hash chaining enabled.
  • GET /v1/baton/{id}/trust/proof — the signed attestation over the chain head.

Verification and challenge are always free; you are charged for sealing, never for checking.