# Trust Most batons just store and move content. Some need to *prove* something about it — that a document existed in a certain form at a certain time, or that an append-only log was never quietly rewritten. Baton's trust layer delivers that as two prepaid feature flags, chosen when the baton is created. ## Document-witness `flags.witness` — a flat **$0.05** feature. When set, Baton signs the baton's content with its witness key, records the content hash, and flips the baton's trust state to `witnessed`. From that point the baton is **locked for writes** — any further write, by the owner or through a token, is rejected. A witnessed baton can be verified by anyone, offline: - **`GET /v1/baton/{id}/trust/proof`** — returns the signed attestation: the content hash, the signature, the witness key id, and the timestamp. - **`POST /v1/baton/{id}/trust/challenge`** — free and unauthenticated. Submit a candidate copy of the content; Baton tells you whether its hash matches what was witnessed. Together these let a third party confirm a document is exactly what was sealed, without trusting Relaystation and without an account. You can order document-witness as a flag at creation, or call `POST /v1/baton/{id}/trust/document-witness` on an existing baton (the standalone call is the same $0.05). A baton that paid for the witness flag but never fired it is sealed automatically when it expires — you paid for the proof, so you get the proof. ## Chain-witness `flags.hashChaining` — turns the baton into a tamper-evident hash chain. Every entry stores the hash of its own content, the hash of the previous entry, and a combined entry hash; the chain head is anchored on the baton. Reorder, alter, or drop an entry and the chain no longer verifies. Chain-witness is **creation-only** — it cannot be switched on later — and it **requires** the document-witness flag. A chained baton automatically commits a prepaid witness at creation; when that witness later fires, it signs the chain head, so the signature attests to every entry's content, order, and writer. Its price scales with the baton's size. The **LEDGER** preset is the convenient way in: it pre-enables hash chaining, so a `POST /v1/baton` with `preset=ledger` gives you a tamper-evident append-only log with one call. A chained baton rejects overwrite-style writes — the chain only grows. ## Verifying a chain - **`POST /v1/baton/{id}/trust/verify-chain`** — free. Recomputes the whole chain and confirms every link. Valid on any baton with hash chaining enabled. - **`GET /v1/baton/{id}/trust/proof`** — the signed attestation over the chain head. Verification and challenge are always free; you are charged for sealing, never for checking.