How TLSNotary mints verifiable claims
Imagine a world where anyone or their agent can stake a verifiable claim without exposing private information.
What's a verifiable claim?
- Examples:
- Prove you're over 21
- Prove you have a positive balance in your bank account
- Prove you're employed by Acme Rockets Corp.
Should you reveal other aspects of your identity in order to stake any of these claims? Why share your home address, your driver's license number, your bank account balance and your salary, just to rent a kyak.
TLSNotary enables verifiable claims without proof of identity. The spec can be applied to you or your autonomous agent.
How TLS Notary works
The Notary participates in the TLS handshake via a Prover.
The Prover is a browser plugin or a web assembly (wasm) that runs on a customer's device. Neither one holds the full set of TLS keys, and the Notary has zero chance of ever seeing the plain text.
The Notary is mechanical in nature. With the Prover, the Notary jointly computes key shares, jointly verifies MACs, and independently signs a commitment about the session. It notarizes that the session was valid using cryptography. The Notary can sign this without seeing what it's notarizing because it's only signing that the session between the bank and the customer is a session between the bank and the customer.
The Customer Gets to Decide Which Claim to Prove
For example, I claim that I have $100 at XYZ bank and I do not need to share how much I have in my account in order to make my claim. I am the customer and I own the Prover. The Prover runs on the customer's device, and it is my device.
How TLS Notary relates to Privacy Pass
I wrote about Privacy Pass, recently. There are parallels and differences between TLSNotary and Privacy Pass.
Privacy Pass has been standardized since 2024. It solves anonymous authorization: "this client was validated by a trusted party". It requires server cooperation and it doesn't identify which client.
Oligopoly Dynamics
Privacy Pass implementation and cooperation requirements create natural oligopolies even though that's not how Privacy Pass was designed. Apple and Cloudflare have the largest user bases and infrastructure. Everyone else can integrate with them or be ignored.
TLSN is invisible to Big Tech
The TLS Notary operates transparently to servers, which means it can enable cooperation between parties without a contract between servers and centralized control by big tech. The only obligation is a simple, stateless, and context free agreement between the customer and the notary. This is in the design, at the TLS level of the protocol. It is unlike Privacy Pass, or OAUTH2, both of which are a contract between three or more parties. TLSN is invisible and it proves a claim's provenance "this specific claim came from this specific server," through Math.
Math is For Everyone
TSLN: Verifiable, decentralized, proof of provenance, with selective disclosure.
The TLSN test is not yet a well established standard. It's a cryptographic verification based on math and implementation that can be trusted.
In theory, it sounds amazing. But I've been working to create a prototype and the user experience is challenging.
Because Sometimes...
With self soverign identity, the question of data provenance is even more important than with centralized identity.
Let's talk about it. Because sometimes you or your agent need to
prove that you are over 21 without sharing your home address.
prove a thing without sharing your whole life.
prove ? without sharing ? everything
TLSN development is active and still pre-production as of March 2026.
The project is maintained by Privacy & Scaling Explorations at the Ethereum Foundation.