Back to Blog
TechnologyFebruary 20258 min read

What Is Vouch and How Does zkTLS Work?

vouch is the cryptographic layer powering AudienceCheck. Built by the vlayer team, it uses zero-knowledge proofs over TLS to verify any HTTPS data source — without ever exposing your credentials or raw data.

Creator's Browserinstagram.com/insights128.4Kfollowers42% US · 18% UK① TLS sessionbrowser ↔ InstagramTLS dataTLS Notary(vlayer infrastructure)1. Witnesses TLS handshake2. Records server response3. Signs commitment hash4. Generates ZK circuit② ZK proof generationno credentials seenzk proofProof Output✓ handle: @alex_creates✓ followers: 128,400✓ reach (30d): 34,200✓ US audience: 42%③ Shareable linktamper-proof · public

What is vouch?

vouch is a verification protocol that allows users to prove specific claims about data they receive from any HTTPS endpoint — without revealing their credentials, session tokens, or the underlying raw response. It's built on top of zkTLS: zero-knowledge proofs applied to the Transport Layer Security protocol.

The core insight is elegant: every time you load a webpage or API response, your browser is already receiving cryptographically signed data from the server via TLS. zkTLS extends this by having a trusted notary witness the session and commit to the server's response — then generating a zero-knowledge proof that specific values were present in that response, without revealing anything else.

How TLS works (and why it matters for zero-knowledge proofs)

TLS is the protocol underlying every HTTPS connection. When your browser connects to instagram.com, they perform a handshake: the server presents a certificate proving its identity, both sides agree on a session key, and all subsequent data is encrypted with that shared secret.

The critical property for zkTLS is that the server's response is implicitly authenticated: it was encrypted with a key derived from the server's secret, so only a genuine response from that server could decrypt correctly. If a notary can witness the session (without knowing the session key's plaintext) and commit to a hash of the server's encrypted response, that commitment later becomes the basis of a verifiable proof.

ClientNotaryServer (Instagram)ClientHello + notary witness requestServerHello + certificatenotary co-signs session keyGET /insights (encrypted request)Encrypted response — notary commits hashNotary generates ZK proof from committed response · no plaintext leaves client

vlayer's implementation: multi-party TLS notarization

The vlayer team (backed by a16z Crypto CSX) has built a production-grade zkTLS stack that implements multi-party computation to allow a notary to co-participate in the TLS handshake without gaining access to the session keys in plaintext.

In practice, the flow works as follows:

  1. 1

    Request initiation

    The user (creator) triggers a verification. The vouch SDK initiates a TLS session to the target server (e.g. Instagram's Insights endpoint) with the vlayer notary as an observer.

  2. 2

    Notary witnessing

    The vlayer notary participates in the TLS handshake via a 2PC (two-party computation) protocol. It contributes to key derivation without ever knowing the full plaintext session key — meaning it cannot decrypt the traffic independently.

  3. 3

    Response commitment

    The server responds. The notary commits to a cryptographic hash of the server's response. This hash is signed by the notary's key, creating an unforgeable attestation that "this exact response came from instagram.com at this time."

  4. 4

    ZK proof generation

    A ZK circuit is run over the committed response. The prover (the user's device) generates a proof that specific fields — e.g. follower count = 128,400, US audience percentage = 42% — are present in the committed response, without revealing other fields.

  5. 5

    Proof publication

    The resulting proof is a compact, self-contained artifact. It can be verified by anyone with the notary's public key. AudienceCheck stores it and generates a shareable link.

A concrete example: verifying Instagram follower count

Example verification flow

CreatorOpens vouch, enters @alex_creates
BrowserEstablishes TLS session with instagram.com/insights
NotaryWitnesses handshake via 2PC, commits to response hash
ZK CircuitProves: followers=128400, reach=34200, US=42% from committed hash
OutputProof stored → audiencecheck.com/abc123 shareable link

The brand or buyer who receives the shareable link sees the verified stats and can independently confirm the proof was issued by a trusted vlayer notary. They don't need to trust AudienceCheck, the creator, or Instagram — only the math.

Why zero-knowledge? Why not just show the data?

A natural question: why not simply have the creator log in to a third-party app and let that app read the stats directly? The answer is privacy and practicality.

Granting OAuth access to a third-party app creates a persistent connection — the app could monitor ongoing activity, pull data over time, or become a liability if breached. Platform terms of service often prohibit scraping or bulk access. And creators are rightly suspicious of apps asking for broad account permissions.

Zero-knowledge proofs solve this elegantly: the creator proves a specific claim at a specific point in time, without granting any ongoing access. The proof is a snapshot, not a tap. Once generated, it can be shared with anyone without exposing any additional information about the account.

vouch in practice: what AudienceCheck verifies

Using vouch's infrastructure, AudienceCheck currently verifies the following Instagram fields for creators:

Follower count

Total verified followers at time of proof

Post count

Total published posts

Views (30d)

Total views in the last 30 days

Accounts reached (30d)

Unique accounts reached

Audience by country

Top 4 countries + percentages

Verified handle

Cryptographic link between proof and @handle

See it in action

Generate your own cryptographic verification in under two minutes. Free for Instagram.

Verify your account →

Continue reading

Trust & Transparency

Why Creator Stats Can't Be Trusted Without Cryptographic Verification

Use Cases

The Most Obvious Use Cases for AudienceCheck.com