External Anchoring

Third-party timestamp attestation via RFC 3161.

External anchoring publishes Merkle roots to trusted timestamp authorities (TSAs). This provides cryptographic proof — from an independent third party — that your data existed at a specific point in time. No one can claim you backdated events.

Why external anchoring matters

| Without anchoring | With anchoring | |-------------------|----------------| | "Our system says this existed at time T" | "A trusted third party attests this existed at time T" | | Self-attestation | Independent verification | | "Trust us" | "Verify independently" |

For regulatory compliance, legal disputes, and audit scenarios, third-party attestation can be the difference between "we think we're compliant" and "we can prove it."

How it works

Merkle Root ──▶ Timestamp Authority ──▶ Signed Token
                    (RFC 3161)          (proof of time)

1. You create a Merkle checkpoint (see Merkle Proofs)
2. XMDB sends the Merkle root to an RFC 3161 Timestamp Authority
3. The TSA returns a signed timestamp token
4. The token proves the root existed at that exact time
5. Anyone can verify the token against the TSA's public certificate

RFC 3161

RFC 3161 is an internet standard for trusted timestamps. Timestamp authorities are operated by:

• Certificate authorities (DigiCert, Sectigo)
• Government agencies
• Independent services (FreeTSA)

The timestamp token is cryptographically signed and includes:

• The hash you submitted
• The exact time
• The TSA's signature

Anchoring a checkpoint

API

curl -X POST "https://api.xmdb.cloud/v1/checkpoints/chk_abc123/anchor?workspace_id=prod&scope_id=project" \
  -H "Authorization: Bearer $XMDB_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "tsa_url": "https://freetsa.org/tsr"
  }'

Response:

{
  "anchor_id": "anc_xyz789",
  "checkpoint_id": "chk_abc123",
  "merkle_root": "v+IAy8gqQMQZpXMeuGgDd9bRJPjUclMqLUDv9seJgjE=",
  "tsa_url": "https://freetsa.org/tsr",
  "timestamp_token": "MIIEr...",
  "anchored_at": "2025-01-16T10:35:00Z",
  "status": "anchored"
}

CLI

# Anchor with default TSA
xmdbctl checkpoints anchor --checkpoint-id chk_abc123

# Anchor with specific TSA
xmdbctl checkpoints anchor --checkpoint-id chk_abc123 \
  --tsa-url "https://freetsa.org/tsr"

Checking anchor status

# API
curl "https://api.xmdb.cloud/v1/checkpoints/chk_abc123/anchor?workspace_id=prod&scope_id=project"

# CLI
xmdbctl checkpoints anchor-status --checkpoint-id chk_abc123

Verifying anchors

Verify that the timestamp token is valid and matches the Merkle root:

# API
curl -X POST "https://api.xmdb.cloud/v1/checkpoints/chk_abc123/anchor/verify?workspace_id=prod&scope_id=project" \
  -H "Authorization: Bearer $XMDB_API_TOKEN"

# CLI
xmdbctl checkpoints anchor-verify --checkpoint-id chk_abc123

Response:

{
  "valid": true,
  "timestamp": "2025-01-16T10:35:00Z",
  "tsa": "FreeTSA",
  "merkle_root": "v+IAy8gqQMQZpXMeuGgDd9bRJPjUclMqLUDv9seJgjE="
}

Supported timestamp authorities

| TSA | URL | Notes | |-----|-----|-------| | FreeTSA | https://freetsa.org/tsr | Free, good for testing and low-volume | | DigiCert | https://timestamp.digicert.com | Commercial, high reliability | | Sectigo | https://timestamp.sectigo.com | Commercial |

Use FreeTSA for development and testing. For production compliance requirements, consider a commercial TSA with SLAs.

Complete audit flow

Here's how external anchoring fits into the full proof-of-provenance flow:

# 1. Agent captures memories
xmdbctl capture --content "User requested account closure"

# 2. Agent retrieves context with receipt
xmdbctl pack -q "account closure" --return-receipt

# 3. Agent records belief
xmdbctl beliefs create \
  --receipt-id rcp_xxx \
  --conclusion "User wants to close account" \
  --confidence 0.95

# 4. Create checkpoint
xmdbctl checkpoints create

# 5. Anchor to external TSA
xmdbctl checkpoints anchor --checkpoint-id chk_xxx

# Now you have:
# - Proof of what the agent retrieved (receipt)
# - Proof of what it concluded (belief)
# - Proof of when all this happened (anchor)
# - All independently verifiable

Best practices

• Anchor critical checkpoints — Not every checkpoint needs anchoring, but milestone checkpoints should be anchored
• Use commercial TSAs for compliance — FreeTSA is great for testing, but regulated industries may require established TSAs
• Store tokens securely — Timestamp tokens are your proof; back them up
• Anchor before disputes arise — You can't anchor retroactively; anchor proactively
• Combine with Merkle proofs — Anchor proves when; Merkle proof proves what

Next Steps

• Merkle Proofs — Cryptographic proof for any event
• Beliefs — Track agent conclusions
• CLI Reference — All checkpoint and anchor commands