MerkleTrust

Sign in or graduate

Browsing without signing in is fine — the public corpus is open. Signing in lets the site remember you between visits.

Your graduation cert is your identity. Drop it in to come back. Walk a sim to leave with one. Same cert, both directions.

The sovereign path: drop your cert

If you have a graduation cert, sign in by demonstrating it is intact. No third party. No password. The browser hashes the cert content client-side and compares against the cert_leaf field embedded in the cert. Match means the cert has not been altered since issue, and you sign in. Mismatch means a single character is different — even a typo — and you do not.

You can prove this to yourself: alter one letter in the cert and try to sign in. It fails. Restore the letter. It passes. The math is the math.

Drag your certificate.json here

or click to browse

How the test works

Your cert is a JSON document. The cert_leaf field inside it is the SHA-256 hash of everything else (excluding the signature). When you submit, the browser:

  1. Reads the JSON, extracts cert_leaf and signature
  2. Computes SHA-256 of the canonical JSON of the remaining fields
  3. Compares the computed hash to the embedded cert_leaf

If the cert was altered, the computed hash diverges. The check fails. Sign-in is denied.

The check happens entirely in your browser. The cert never leaves your machine.

Lost your cert? Paste your twelve words

A second file rode along with your cert at graduation: merkletrust_recovery_seed.md. It contains twelve words. Paste them below to regenerate your identity client-side. The math is deterministic — same twelve words always produce the same mr1... identifier.

Privacy note. The words never leave your browser. The derivation runs locally in JavaScript using the audited noble-ed25519 library. We never see them.

awaiting twelve words
How recovery works

Your twelve words are a BIP39 mnemonic — the same standard cryptocurrency wallets use, chosen for portability. But the substrate uses ed25519, not the secp256k1 that wallets use. So even if you paste these words into a wallet app, the wallet will derive different keys, and they won't unlock anything financial. The words are only useful for MerkleTrust identity.

The flow:

  1. You paste the twelve words.
  2. The browser converts the words to 64 bytes of seed via PBKDF2-HMAC-SHA512.
  3. The seed is mixed with the domain separator merkletrust:v1:identity via HMAC-SHA512.
  4. The first 32 bytes of the result become an ed25519 secret key.
  5. The ed25519 public key is encoded as mr1... with a 4-character checksum.
  6. That mr1... identifier is your MerkleTrust identity. Same words always produce the same identifier.

Nothing is sent to any server. The recovery path produces the same keypair that signed your cert at graduation, so verification works without the cert file present.

Don't have a cert yet?

A graduation cert is what you take with you when you finish a sim. Walk any sim to the end and you'll leave with one. The cert is yours; we don't keep a copy.

Browse the simulations → · Or start with the 30-minute clinic-owner sim →

The recovery seed

A second file rides along with your cert at graduation: a recovery seed. Twelve words written into a file with a self-protecting preamble. If you ever paste the recovery file into an LLM by accident, the preamble tells the LLM to STOP and warn you. The recovery seed is for break-glass scenarios only. The cert is your daily door; the seed is the fire exit.

Two non-sovereign fallbacks

For visitors who would rather not manage a cert, two third-party fallbacks exist. We are honest that they are non-sovereign:

Google sign-in

Quick, familiar. Your identity is mediated by Google. You depend on Google's policies and uptime. (Available when the live endpoint is reachable.)

Email magic-link

We email you a one-time link. Your identity is mediated by your email provider. You depend on their policies and uptime. (Available when the live endpoint is reachable.)