Verifiable trust

A trust badge you can actually verify

Most trust seals are just pictures. Anyone can copy one onto a scam site, and no one can tell the difference. Every TrustedOrigin badge carries a cryptographic key you can check in seconds.

A picture is not proof

Think about the security seals you see on checkout pages. A padlock icon, a "100% Secure" ribbon, a "Verified" badge. On most sites these are just images. Anyone can right-click, save, and paste the very same image onto a fraudulent store.

That is the problem with the whole category. A trust mark is supposed to be evidence, but if it cannot be checked, it is only decoration, and the sites that most want to look trustworthy are often the ones you should trust least.

A key, not just a picture

Every TrustedOrigin badge carries a verification key, a short code generated cryptographically from the certified site using HMAC-SHA256 and a secret only we hold.

The identical key is published on that site's public profile at trustedorigin.org/verify/<domain>, a page hosted on our domain that the site owner cannot edit. To confirm a badge is genuine, you check that the two keys match.

Copy the badge image onto another site and it breaks. The badge points to a profile on our domain for that exact site. A site we have not certified has no verified profile, and a profile always names the domain it belongs to, so a stolen badge gives itself away.

How anyone can verify a badge

1

Find the verification key shown on the Trust Badge on the site.

2

Click the badge, or open trustedorigin.org/verify/<domain>, on our domain.

3

Check the keys match. If they do, the badge is genuine. If not, be cautious.

A live example

We hold ourselves to the same standard

Here is the verification key on our own badge. The identical key appears on our public profile, on this domain, where we cannot quietly change it.

On the Trust Badge
2514-2225-385D-3A1D
=
On our public profile
2514-2225-385D-3A1D

Check any certified site

Type a domain to open its live, tamper-proof certification profile.

Not selling anything, this opens the public profile on trustedorigin.org.

Why a verifiable badge matters

For shoppers

Real proof, not a logo. A badge you can check in seconds means you can buy with genuine confidence.

For site owners

Protection from impersonation. A competitor or copycat cannot convincingly fake your certification, because it is tied to your domain and your key.

For the honest web

A trust mark that means something. When a seal can be verified, it stops being decoration and starts being evidence.

Frequently asked questions

Can a scammer just copy the badge?

They can copy the image, but it stops working. The badge links to a certification profile on our domain for that exact site. A site we have not certified has no verified profile, and every profile names the domain it belongs to, so a copied badge points at a profile that either does not exist or clearly belongs to someone else.

What does "cryptographically generated" actually mean here?

The key is produced with HMAC-SHA256, a standard cryptographic function, from the certified site using a secret only we hold. Because the secret is never shared, no one else can generate a matching key for a site we have not certified.

How do I verify a badge as a visitor?

Note the key on the badge, click it (or go to trustedorigin.org/verify/ followed by the domain), and check the key on that page matches, character for character. If it matches, the badge is genuine. If it does not match, or there is no profile, treat the badge with caution.

Do I need to be technical to check it?

No. Verifying a badge is just comparing two short codes and confirming the profile lives on trustedorigin.org. There is nothing to install and nothing to calculate.

Get a badge people can trust.

Real checks, a tamper-proof profile, and a badge anyone can verify. One script tag and our team starts verifying your site.

Get your badge Run a free site check