Most trust seals are just pictures. Anyone can copy one onto a scam site, and no one can tell the difference. Every TrustedOrigin badge carries a cryptographic key you can check in seconds.
Think about the security seals you see on checkout pages. A padlock icon, a "100% Secure" ribbon, a "Verified" badge. On most sites these are just images. Anyone can right-click, save, and paste the very same image onto a fraudulent store.
That is the problem with the whole category. A trust mark is supposed to be evidence, but if it cannot be checked, it is only decoration, and the sites that most want to look trustworthy are often the ones you should trust least.
Every TrustedOrigin badge carries a verification key, a short code generated cryptographically from the certified site using HMAC-SHA256 and a secret only we hold.
The identical key is published on that site's public profile at trustedorigin.org/verify/<domain>, a page hosted on our domain that the site owner cannot edit. To confirm a badge is genuine, you check that the two keys match.
Copy the badge image onto another site and it breaks. The badge points to a profile on our domain for that exact site. A site we have not certified has no verified profile, and a profile always names the domain it belongs to, so a stolen badge gives itself away.
Find the verification key shown on the Trust Badge on the site.
Click the badge, or open trustedorigin.org/verify/<domain>, on our domain.
Check the keys match. If they do, the badge is genuine. If not, be cautious.
Here is the verification key on our own badge. The identical key appears on our public profile, on this domain, where we cannot quietly change it.
Type a domain to open its live, tamper-proof certification profile.
Not selling anything, this opens the public profile on trustedorigin.org.
Real proof, not a logo. A badge you can check in seconds means you can buy with genuine confidence.
Protection from impersonation. A competitor or copycat cannot convincingly fake your certification, because it is tied to your domain and your key.
A trust mark that means something. When a seal can be verified, it stops being decoration and starts being evidence.
They can copy the image, but it stops working. The badge links to a certification profile on our domain for that exact site. A site we have not certified has no verified profile, and every profile names the domain it belongs to, so a copied badge points at a profile that either does not exist or clearly belongs to someone else.
The key is produced with HMAC-SHA256, a standard cryptographic function, from the certified site using a secret only we hold. Because the secret is never shared, no one else can generate a matching key for a site we have not certified.
Note the key on the badge, click it (or go to trustedorigin.org/verify/ followed by the domain), and check the key on that page matches, character for character. If it matches, the badge is genuine. If it does not match, or there is no profile, treat the badge with caution.
No. Verifying a badge is just comparing two short codes and confirming the profile lives on trustedorigin.org. There is nothing to install and nothing to calculate.
Real checks, a tamper-proof profile, and a badge anyone can verify. One script tag and our team starts verifying your site.