Anchor a proof. Reveal it on your terms.

Satsignal’s sealed mode is for the cases where the existence of a proof is itself sensitive — legal exhibits before disclosure, source material before coordinated release, evidence preservation when knowing-of-possession changes the situation.

Coming soon. The cryptographic spec is finalized; the submission UI is in development. Email hello@satsignal.cloud for early access or to discuss a specific use case before launch.

01How it differs

Public timestamp vs. sealed envelope.

Both modes anchor on the Bitcoin SV chain and produce the same portable bundle format. The difference is what the on-chain entry reveals to a third party.

Public timestamp

The default at satsignal.cloud

The chain entry contains the file’s actual fingerprints. Anyone with your file’s SHA-256 can confirm a Satsignal proof exists for it. Right for releases, customer-facing receipts, code-signing, public attestations.

Sealed envelope

This page (sealed mode)

The chain entry contains a salted commitment. Without the salt held only in your local bundle, an observer learns only that some file was anchored at time T — not which file, and not enough to confirm a candidate. You unseal publicly when you choose to.

The cryptographic construction (HMAC-SHA256 with HKDF-derived per-leaf salts so that selectively disclosing one page or row does not unseal the rest) is documented in SPEC_v2_sealed.md.

02Who it’s for

Five segments where this is close to mandatory.

Journalists with source material. Preserve cryptographic proof of the document you received before publication, without tipping adversaries that you have it.
Whistleblowers preserving evidence. Lock the artifact now, in case retaliation or legal action later disputes the record. Reveal at coordinated-release time.
Attorneys preparing exhibits. Anchor evidence ahead of filing; produce salt + bundle as part of discovery so verification is independent of any party’s good faith.
Internal investigations and IP-dispute prep. Preserve logs, screenshots, exports, and reports without alerting stakeholders that anything has been captured.
Personal safety / harassment / abuse documentation. When “I have evidence” is itself a risk, sealed mode keeps possession ambiguous until disclosure becomes safe.

03Mental model

Two products, one chain, one verifier.

Public mode is a published timestamp. Sealed mode is a sealed envelope — preserved cryptographically, opened when you choose. Both produce the same `.mbnt` bundle format; the same single-file verifier handles both, auto-detecting from the bundle’s manifest.

The bundle itself becomes a bearer secret in sealed mode: anyone holding the bundle can verify the anchor against any candidate file. Treat it as you would the file. Lose it to an adversary and the seal is broken; lose it entirely and the proof can no longer be verified, even though the chain entry is permanent.

Selective disclosure is preserved. You can later publish a single page of a sealed PDF, or a single row of a sealed CSV, with a per-leaf salt and Merkle path — verifiers confirm the chunk was part of the originally-anchored file without learning anything about the rest.

04Early access

Sealed mode launches with managed onboarding.

Sealed receipts are bearer-secret artifacts. Before granting access we’ll talk through your use case, the operational discipline required, and the exact failure modes — we’d rather you understand the model than ship something brittle.

Request access Read the spec