Photo Proof Certificate
Verify photo authenticity online — compute a SHA-256 hash, extract EXIF metadata, and download a tamper-evidence certificate PDF for legal filings, insurance claims, or evidentiary use. Your image never leaves your device.
Drop a photo here or click to browse
JPEG · PNG · HEIC · WebP — processed entirely in your browser
✓ Certificate Ready
SHA-256 Hash — tap to copy
click to copy
File Details
100% private. This tool runs entirely in your browser using the Web Crypto API and pdf-lib. No image data, hash, or metadata is ever sent to a server.
How it works
Three steps happen entirely client-side, in milliseconds:
1. SHA-256 hashing
The browser reads the raw file bytes via FileReader and feeds them to
SubtleCrypto.digest("SHA-256"). The resulting 256-bit fingerprint is unique to the exact byte sequence — one altered pixel changes the entire hash.
2. EXIF extraction
exifr.js parses the image's embedded metadata without decoding pixel data: capture timestamp (DateTimeOriginal), GPS latitude/longitude, camera make & model, and image dimensions.
3. PDF certificate
pdf-lib assembles a certificate page containing the file name, file size, SHA-256 hash, all extracted EXIF fields, and the certificate-generation timestamp (UTC). The PDF is generated in memory and offered as a download.
Why SHA-256?
SHA-256 is a one-way cryptographic function standardized by NIST (FIPS 180-4). It is widely accepted by courts, insurers, and forensic labs as a tamper-evidence mechanism. Two different files cannot produce the same hash (collision resistance).
Example: A photo taken at 09:15:32 on 2024-03-10 with an iPhone 15 Pro produces a hash like a3f8c2…. Any edit — even metadata stripping — changes the hash. The certificate records both the original hash and the moment you generated the certificate, creating a two-timestamp chain.
Frequently asked questions
- Is a SHA-256 certificate admissible as legal evidence?
- In many jurisdictions, cryptographic hash certificates have been accepted as supporting evidence in civil disputes, insurance claims, employment matters, and intellectual property cases. A SHA-256 hash proves that a file existed in its exact current form at the time the certificate was generated. However, admissibility depends on jurisdiction and context — consult a solicitor or attorney for formal legal proceedings. This certificate is best used alongside other corroborating evidence such as email timestamps, server logs, or notarization.
- Does editing EXIF data change the SHA-256 hash?
- Yes — in almost all cases. EXIF metadata is embedded within the JPEG or PNG file's binary structure. Stripping or altering it changes the raw bytes, which changes the SHA-256 hash. This is a key advantage of hashing at the file level rather than just inspecting metadata: the hash covers everything, including metadata. One exception is lossless EXIF-only editors that modify only specific IFD offsets without touching pixel data — these do alter the hash because the file bytes change, which is precisely what you want to detect.
- What if my photo has no EXIF data?
- The SHA-256 hash is always computed regardless of EXIF presence — it depends only on the raw file bytes. If EXIF fields are absent (common with screenshots, photos shared via messaging apps that strip metadata, or deliberately cleaned images), the certificate will show "Not available" for those fields and note that the absence itself may be significant. The hash still serves as a complete tamper-evidence fingerprint of the file as you received it.
- How do I verify a hash later?
- Re-run the same original file through this tool. If the SHA-256 hash matches the one on your saved certificate, the file is byte-for-byte identical to when you certified it. On macOS you can also run
shasum -a 256 yourfile.jpgin Terminal; on Windows,certutil -hashfile yourfile.jpg SHA256. These command-line tools use the same algorithm and will produce identical output for the same file.