What Is vouch and How Does zkTLS Work?

What is vouch?

vouch is an application that allows users to prove specific claims about data they receive from any HTTPS endpoint - without revealing their credentials, session tokens, or the underlying raw response. It's built on top of zkTLS protocol developed by vlayer on top of TLSNotary.

The core insight is elegant: every time you load a webpage or API response, your browser exchanges securely encrypted data via TLS. zkTLS extends this by having a notary actively co-participate in the TLS session through multi-party computation (MPC) - jointly deriving keys, encrypting requests, and decrypting responses with the user, without either party ever holding the full session key. The client then creates commitments to the plaintext from this joint computation, which the notary signs without ever seeing the raw, plaintext data. This is the foundation of zkTLS..

How TLS works (and why it matters for zkTLS)

TLS is the protocol underlying every HTTPS connection. When your browser connects to instagram.com, they perform a so-called handshake: the server presents a certificate proving its identity, both sides agree on a session key, and all subsequent data is encrypted with that shared secret.

Two properties of TLS matter for zkTLS. First, the server proves its identity during the handshake by presenting a certificate - so the client (and any co-participating notary) can be certain they're talking to the real server. Second, every record is protected by an authentication tag, which guarantees that the data has not been tampered within transit. Together, these properties mean that if a notary co-participates in the TLS session via MPC - contributing to key derivation and jointly processing every encrypted record - it can later sign commitments attesting that specific data genuinely came from a particular server, without ever having seen the data itself.

vlayer's implementation: multi-party TLS notarization

The vlayer team (backed by a16z Crypto CSX) has built a production-grade zkTLS stack that implements multi-party computation to allow a notary to co-participate in the TLS handshake without gaining access to the session keys or data in plaintext.

In practice, the flow works as follows:

1. 1

   Request initiation

   The user (creator) triggers a verification. The vouch SDK initiates a TLS session to the target server (e.g. Instagram's Insights endpoint) with the vlayer notary as an active MPC co-participant.
2. 2

   Notary witnessing

   The vlayer notary participates in the TLS handshake via a 2PC (two-party computation) protocol. It contributes to key derivation without ever knowing the full plaintext session key — meaning it cannot decrypt the traffic independently.
3. 3

   Ciphertext verification and attestation

   The server responds with encrypted data. The client and notary jointly verify the authenticity of each encrypted record using MPC - confirming it hasn't been tampered with - but neither party decrypts it yet. After the TLS session closes, the notary reveals its key share, allowing the client to decrypt locally. The client then proves to the notary, using a zero-knowledge protocol, that the plaintext it claims matches the authenticated ciphertext - without revealing the plaintext itself. That's the power of zero-knowledge proofs. The notary signs this proof, producing an attestation that the data genuinely came from instagram.com at that time - without ever learning what it contained.
4. 4

   Proof publication

   The resulting attestation is a compact, portable artifact: it includes the notary's signature attesting to the TLS session. A verifier who trusts the notary can validate it independently. AudienceCheck stores the attestation and generates a shareable link.

A concrete example: verifying Instagram follower count

The brand or buyer who receives the shareable link sees the verified stats and can independently confirm the proof. They need to trust the vlayer notary (that it faithfully participated in the MPC protocol), but they don't need to trust AudienceCheck, the creator, or Instagram. The cryptographic attestation guarantees the data is genuine — the notary only attests to the session, never sees the underlying data, and cannot forge results.

Why zero-knowledge? Why not just show the data?

A natural question: why not simply have the creator log in to a third-party app and let that app read the stats directly? The answer is privacy and practicality.

Granting OAuth access to a third-party app creates a persistent connection — the app could monitor ongoing activity, pull data over time, or become a liability if breached. Platform terms of service often prohibit scraping or bulk access. And creators are rightly suspicious of apps asking for broad account permissions.

Zero-knowledge proofs solve this elegantly: the creator proves a specific claim at a specific point in time, without granting any ongoing access. The proof is a snapshot, not a tap. Once generated, it can be shared with anyone without exposing any additional information about the account.

vouch in practice: what AudienceCheck verifies

Using vouch application, AudienceCheck currently verifies the following Instagram fields for creators: