GRAVEN
Graven · Documentation

How Graven works

Graven is a tamper-evidence platform for documents. It lets you anchor a file on a public blockchain, optionally watermark it so copies stay traceable, and verify at any time whether a file is the one you registered.

TL;DR. Upload a file → we record a one-way fingerprint of it on-chain → anyone who later receives the file can confirm it is authentic, unchanged, and not revoked.

How it works

Graven never stores your file unless you explicitly ask us to. We work with a cryptographic fingerprint of your document called a SHA-256 hash: a 64-character string that is unique to the exact bytes of that file. Change a single pixel, comma, or byte, and the fingerprint changes completely.

  1. You upload a file. Your browser sends it to our server over HTTPS.
  2. (Optional) We embed an invisible watermark. For images, PDFs, and text, we can hide a short identifier inside the file itself so even copies remain traceable.
  3. We compute the fingerprint of the final bytes.
  4. We anchor it on Polygon (a public blockchain). The fingerprint, the time, your account address, and whether the record is revocable get recorded in a smart contract.
  5. You distribute the file however you normally would — email, signed PDF, shared link, printed copy.
  6. Anyone can verify it later by dropping the file (or just its hash) into our public verify page. They do not need an account.
We anchor a hash, not the file. Even Graven cannot reconstruct your document from what is on-chain. The hash is a one-way function: easy to compute, impossible to reverse.

Features

Anchor

Register any file (PDF, image, contract, spreadsheet, archive, anything) on Polygon. Choose revocable if you might need to cancel it later, or irrevocable for permanent records like diplomas.

Invisible watermark

Embed a short ID inside images (DCT-domain), PDFs, and plain text (zero-width characters). The watermark survives common operations like screenshots being saved and re-uploaded, copy/paste of text, and most lossless edits.

Public verification

Anyone — even people without an account — can drop a file into the verify page and instantly see whether it is anchored, who anchored it, and whether it has been revoked.

Encrypted storage (opt-in)

If you want, we can also keep an encrypted copy of the file in object storage so you can re-download it later. Off by default.

API keys

Generate tokens to anchor and verify documents from your own backend or CLI. Same operations as the portal, just programmatic.

Activity log

Every state-changing action (anchor, revoke, key creation, download) is logged with timestamp, IP, and user agent.

Using the portal

Sign in

Sign-in is handled by Clerk. You can use email + password, passwordless magic links, or a connected social account, depending on what your administrator has enabled. You only need an account to anchor or manage documents. Verification is public.

Anchor a document

Go to /anchor. Choose the file and pick:

  • TypeRevocable records can be cancelled later by you (the issuer). Irrevocable records are permanent and cannot be undone, by anyone, ever. Use irrevocable only when the document is final.
  • Embed invisible watermark — modifies the file before hashing so the watermark and the anchor describe the same bytes. You will be offered a download of the watermarked copy, which is the one you should distribute.
  • Watermark modeAuto-detect picks the right algorithm from the file's MIME type. Force image/text/PDF only if you know the auto guess is wrong.
  • Store an encrypted copy — only available if you opted into storage in Settings.
Anchoring writes a transaction to Polygon. It is permanent for irrevocable documents and the underlying record itself cannot be deleted — only marked revoked.

View documents

/dashboard lists every document you have anchored, newest first. Click one to see its hash, transaction hash, block number, issuer address, and status. From the detail page you can revoke (if revocable and not already revoked) and download (if you stored an encrypted copy).

Revoke

Revoking a revocable document does not remove the anchor — the original record stays on-chain forever. Instead, a second transaction marks it revoked, and from that moment on, anyone verifying the file will see status REVOKED with the revocation timestamp. Use this when a document is superseded, leaked, or invalidated.

Verification

Anyone can verify a file at /verify without signing in. Two ways:

  • Drop the file. Your browser uploads it to our server. We first try to extract a watermark; if found, we resolve to the original anchored hash even if the bytes were modified. Otherwise we fall back to hashing the file directly.
  • Paste the SHA-256 hash. Useful if you already computed the hash yourself and do not want to share the file.

Result statuses

  • ANCHORED

    The file matches a registered hash and has not been revoked. You will also see the issuer's blockchain address, the original filename, the issuance time, and (if available) the uploader's email.

  • REVOKED

    The file was anchored at some point but the issuer has since revoked it. Treat the document as no longer valid.

  • NOT REGISTERED

    The hash is not on-chain. Either the file has been modified (even a single byte), or it was never anchored in the first place.

If the badge says Resolved via embedded watermark, the bytes you uploaded do not exactly match the anchored hash — the match was made through the hidden watermark inside the file. The watermark proves provenance even when the file has been rescaled, recompressed, or had text copy-pasted.

API keys

From /api-keys you can create tokens to drive Graven from your own code. Keys look like:

dik_live_a1b2c3d4e5f6…  (64 hex chars after the prefix)
  • The plaintext is shown exactly once when you create it. We only ever store a hash of the key — if you lose it, revoke it and create a new one.
  • Revoked keys stop working immediately but are kept in your audit log.
  • Send the key as Authorization: Bearer dik_live_….

Example

curl -X POST https://<your-graven-host>/v1/programmatic/documents \
  -H "Authorization: Bearer dik_live_…" \
  -F "file=@./contract.pdf" \
  -F "doc_type=revocable"

Encrypted storage

Graven's core promise is provability, not storage — by default we only keep the on-chain fingerprint and metadata, never your bytes. If you want a managed copy as well, you can opt in from Settings. Two gates apply:

  1. You must enable storage on your account once.
  2. For each upload, you must tick “Store an encrypted copy.” The toggle is off by default to avoid accidental uploads of sensitive material.

Files are stored with server-side encryption (SSE) in object storage. Download links are short-lived (≈ 5 minutes) and bound to your account.

Technical concepts

What is a hash?

A SHA-256 hash is a deterministic, fixed-length fingerprint of any input. Identical inputs always yield identical hashes; different inputs almost certainly yield different hashes. It is computationally infeasible to (a) reverse a hash back to the original file or (b) construct a second file that hashes to the same value. That is why anchoring a hash is equivalent to anchoring the file's identity without revealing its contents.

What is anchoring?

Anchoring means writing the hash to a public blockchain. We use Polygon — an Ethereum-compatible network — because it is fast, cheap, and globally readable. The record is stored in a smart contract that anyone in the world can independently query. Graven does not need to be online for verification to succeed; the proof lives on the chain.

Revocable vs. irrevocable

We deploy two separate smart contracts:

  • Irrevocable — once written, the record is permanent and immutable. Suitable for credentials, diplomas, published articles, audit reports.
  • Revocable — the issuer (and only the issuer) can later mark the record revoked. The original anchor still exists; the revocation is a second event layered on top. Suitable for contracts, policies, anything that may be superseded.

What is the watermark?

A watermark embeds a short identifier into the file in a way that is invisible to humans but detectable by software:

  • Images / PDFs — we modulate certain frequency coefficients in the discrete cosine transform (DCT) of the image. The visible image is unchanged to the eye but a short ID can be extracted later, even after re-saving as JPEG or taking a screenshot.
  • Plain text — we insert zero-width Unicode characters between letters. They render as nothing but survive copy/paste in most editors and messaging apps.

Watermarking is complementary to anchoring. The anchor proves “these exact bytes are registered.” The watermark proves “this content, even if rescaled or recompressed, traces back to the registered record.”

Architecture, in one diagram

Browser  ──HTTPS──►  Portal (Next.js)  ──►  BFF (Go)  ──►  Polygon
                                              │
                                              ├──►  Watermark service
                                              └──►  Encrypted storage (opt-in)

The browser never talks to the blockchain directly. The BFF (backend-for-frontend) holds the credentials, brokers the transactions, and is the only component allowed to spend gas.

Edge cases

I re-saved the file and now it does not verify.

Any modification — even opening a PDF and saving it back with no visible change — alters the bytes and therefore the hash. If you anchored without a watermark, the saved-out copy will read NOT REGISTERED. With a watermark, the verify page will fall back to watermark extraction and still resolve to the original anchor.

I uploaded the same file twice.

The BFF detects this and returns the existing record instead of creating a duplicate transaction. You will not be charged twice and you will not see two rows on the dashboard.

A revoked document still shows in the dashboard.

That is intentional. The on-chain record is permanent; revocation is an additional state, not a deletion. The dashboard marks it revoked and the public verify badge turns amber.

My screenshot of a watermarked image does not extract.

DCT watermarks survive most JPEG/PNG re-encoding but can be lost if the image is heavily cropped, recolored, drawn over, or shrunk below the algorithm's minimum resolution. When extraction fails, the verifier falls back to hash matching.

Zero-width watermarks disappeared from my text.

Some platforms (Twitter, certain Markdown renderers, sanitizing email gateways) strip non-printing characters. If your distribution channel does that, prefer anchoring the file itself rather than relying on text-watermark extraction.

I anchored an irrevocable document by mistake.

There is no undo. The record is permanent. The best you can do is anchor a corrective document and reference it out-of-band. Use irrevocable mode only when you are sure.

My API key leaked.

Revoke it immediately from /api-keys. The next request using that key will fail. Create a new one and rotate it in your application.

The blockchain transaction is taking a while.

Polygon is normally a few seconds. During network congestion it can take longer. Until the transaction is mined, the dashboard shows the document as pending and verification of that exact hash may return NOT REGISTERED. Refresh after a minute.

The verifier sees a different filename than I uploaded.

Filenames are metadata stored by the uploader's BFF account, not on-chain. If the file passes through multiple hands or someone re-anchors it, the displayed filename reflects the most recent anchor for that hash.

Two different files produced the same hash.

This has never happened with SHA-256 in practice and is considered cryptographically infeasible. If you ever see it, contact us — it is more likely a bug in the upload than an actual collision.

FAQ

Do you see my document?
Only transiently. We receive the file to compute its hash and (if you enabled them) to embed a watermark or store an encrypted copy. If you did not opt into storage, we discard the bytes immediately after hashing.
Do you upload my document to the blockchain?
No. Only the 32-byte hash, the type, the issuer address, and the timestamp are written on-chain. The blockchain is public — putting the actual document there would be a privacy disaster.
Can someone reconstruct my document from the hash?
No. SHA-256 is one-way. The hash leaks no information about the file's contents.
What does it cost?
Anchoring writes a transaction to Polygon, which costs a small amount of MATIC (gas). Costs are absorbed by your operator according to your pricing plan; the portal does not surface a per-document fee.
Is verification free?
Yes. Verifying is read-only against the public chain and does not require an account.
Which file types are supported?
Anchoring works for any file type — we just hash the bytes. Watermarking is currently supported for common image formats (PNG, JPEG), PDFs, and plain text. Other formats can still be anchored without watermarks.
Is the watermark robust to printing and rescanning?
Partially. DCT watermarks survive moderate JPEG re-encoding and rescaling. Print → scan typically destroys them. For print-and-resign workflows, rely on hash anchoring of the final scanned PDF.
Can I delete a document?
You cannot delete the on-chain anchor. You can revoke a revocable record, and you can delete the encrypted stored copy (if you opted in) from the document detail page. Hash and transaction stay public forever.
What happens if Graven goes away?
Your anchors remain on Polygon and remain verifiable by any Ethereum-compatible RPC client and the contract ABI. The smart contract source is public and reproducible from your records.
Why Polygon and not Bitcoin or Ethereum mainnet?
Polygon offers fast confirmations and very low fees while remaining a public, decentralized, Ethereum-compatible chain. The choice keeps anchoring economical at scale without sacrificing verifiability.
Can I anchor on my own chain or contract?
That is an operator-level decision. The smart contracts are open and can be redeployed on any EVM-compatible network. Ask your operator if you need a private deployment.
How do I prove a document was mine on a given date?
Share the document and its anchor record (transaction hash and block number from the document detail page). Anyone with a Polygon RPC can independently verify the hash was registered by your issuer address at that block's timestamp.
Can two accounts anchor the same file?
Yes. The same hash can be registered by different issuers; each anchor is independent. Verification will surface whichever record(s) exist on-chain.
Is my account secure?
Authentication is handled by Clerk, which supports MFA and passwordless sign-in. The portal itself never sees your password. API keys are stored only as hashes, so even if our database leaked, your keys cannot be recovered from it.

Still stuck? Reach out to your account administrator, or try the public verify page to confirm a single file without an account.