RootLens Documentation
How RootLens proves content is real — from camera sensor to browser verification.
Background: Why C2PA Alone Is Not Enough
C2PA (Coalition for Content Provenance and Authenticity) is an open standard that embeds a camera's cryptographic signature into content at capture time. Devices like Google Pixel, Sony, and Nikon cameras support it, and it is becoming the foundation for proving content provenance.
But C2PA has a structural limitation. Verification requires both the complete original content data and the manifest — if even one byte changes, the hash no longer matches and verification fails. Nearly every social media platform and messaging app strips C2PA data and recompresses content on upload, so the proof disappears the moment content is shared. Title Protocol solves this by separating the proof from the content and recording it in a form that can be verified without the original file.
For a deeper look at this problem and the solution, see the Introduction.
What RootLens Does
When you see a photo online, how do you know it's real? RootLens answers that question. It proves that a photo or video is authentic — captured by a real camera, on a real device, without manipulation — and lets anyone verify that proof independently.
Here is how it works at the highest level: a camera signs the content at capture time. That signed content is then sent — encrypted, end-to-end — to a Trusted Execution Environment (TEE), a piece of isolated hardware where nobody can see the raw content or tamper with the verification code. The TEE inspects the signature, extracts key facts (who signed it, what the image looks like), and signs the results with a private key that nobody can extract — not even the developers of this system. That TEE signature is the root of trust.
The results are then linked to on-chain records (cNFTs on Solana) so that anyone can find them. The actual verification data is stored off-chain, but it carries the TEE signature — so the blockchain is an index for discovery, not the container of the proof itself. A viewer's browser fetches the data via the on-chain pointer and re-verifies the TEE signature locally, without contacting any server.
What the User Sees
A content creator publishes a photo through the RootLens app. This produces a shareable link (e.g., rootlens.io/p/abc123). When someone opens that link in a browser, the page displays the photo along with a verification badge showing whether the proof checks out. Behind the scenes, the browser fetches the proof data via on-chain pointers and re-verifies the TEE signature locally — without contacting the RootLens server.
Key Terms
Before going further, here are the terms you will encounter throughout this documentation:
| Term | What It Means |
|---|---|
| C2PA | An open standard (Coalition for Content Provenance and Authenticity) for embedding provenance metadata into media files. When a camera signs a photo with C2PA, it creates a cryptographic proof of where the content came from. |
| TEE | Trusted Execution Environment. Isolated hardware (a secure chip or enclave) where code runs and keys are stored such that nobody — not even the system operator — can access the internals. |
| cNFT | Compressed NFT. A lightweight on-chain record on Solana. RootLens uses cNFTs as tamper-proof containers for verification results — not as collectibles or art. "Compressed" means they use Solana's state compression to keep costs low while remaining fully on-chain. |
| signed_json | A JSON document containing a verification result, signed by a TEE's private key. Because the signature is unforgeable, the document is self-proving — it carries its own proof of authenticity regardless of where it is stored. |
| content_hash | A SHA-256 hash of the original content file. Used as the unique identifier that links the content to its on-chain proof. |
| Perceptual hash (PDQ) | A "visual fingerprint" of an image. Unlike a cryptographic hash (which changes completely if a single pixel changes), a perceptual hash stays similar across re-encoding, resizing, and minor edits. This lets the browser confirm that the displayed image matches the one that was originally verified. |
| GlobalConfig | An on-chain record on Solana that defines protocol-wide settings: which cNFT collections are official, which TEE nodes are trusted, and which verification code (WASM) hashes are approved. The browser reads this directly from the blockchain — never from a server. |
Three Phases of Trust
The trust model has three stages.
| Phase | What It Proves | Trust Basis |
|---|---|---|
| 1. Content Creation | This content was captured by a specific device | Device hardware (sensor-to-chip) or Platform Attestation |
| 2. Verification & Record | The C2PA chain was verified and the result was signed with a hardware-isolated key | TEE hardware (the signing key cannot be extracted, even by system operators) |
| 3. Browser Verification | The displayed content matches the TEE-signed proof | Re-verifies Phase 2 proofs locally — does not require trusting RootLens or any server |
Multiple Content Sources
RootLens is not limited to content captured by the RootLens app. It works with any C2PA-signed content: Google Pixel photos (signed by Google's Titan M2 chip), Sony and Leica cameras, and RootLens's own app-level signatures. All content types enter the same Phase 2 pipeline and produce the same kind of verifiable proof. The difference is only in Phase 1 — the trust basis of the original signature — and this difference is clearly displayed to the viewer (e.g., "Shot on Google Pixel" vs. "Shot on RootLens").