Blog · Document timestamping

Why your domain dying shouldn't kill your timestamp receipt

The number-one question every working photographer asks before paying anything for a timestamping service: what happens to my proof if your company disappears?

This is a reasonable thing to ask. Earlier consumer-facing timestamping services have appeared, attracted some traction, and then either shut down, let their certificates lapse, or pivoted to enterprise-only sales channels. The pattern is consistent enough that any prospective customer is right to wonder what happens to their receipt when the operator of the service is no longer around to vouch for it.

If you anchored five hundred photos through such a service before it disappeared, what would you have? Probably a forgotten password to a defunct login page and a vague memory that you'd "done something."

This post explains why Orphograph receipts are structurally different — the proof works without Orphograph, by construction — and exactly which files a holder needs to save to make that promise real.

The two kinds of timestamping services

There are two architectural shapes a timestamping service can take. One survives the company's death; the other doesn't.

Type A — proprietary verifier (don't trust these for the long haul)

The service issues a "receipt" that's basically a database record keyed to your account. Verification means logging back into their site and clicking "verify." If the site is down, your receipt is worthless.

These services usually have nice UX and slick marketing. They sell trust, not durability.

Type B — open-standard receipts (these survive)

The service is a wrapper around an open standard. Their receipts are not their property — they're standardized files anyone can verify against the underlying chain or protocol. If the wrapper dies, the receipts still work.

Orphograph is type B by design. So is raw OpenTimestamps. Other timestamping services vary in their architecture: some emit receipts that verify only against their proprietary tools, others emit receipts that verify against the underlying chain or open protocol independently. Readers evaluating an alternative should ask whether the receipt verifies without the issuer's servers — that is the test.

How an Orphograph receipt survives the office

When a file is anchored with Orphograph, the holder receives:

1. A receipt JSON file (~1KB) — contains the SHA-256 hash of the file, the timestamp, and pointers to the OpenTimestamps calendar servers that received it.

2. Five .ots proof files (~200–500 bytes each) — one per OpenTimestamps calendar. Each contains the cryptographic path from the hash up to a Bitcoin transaction.

3. A SHA-512 sibling witness in the receipt — a hedge against any future weakness in SHA-256.

Total bundle: about 3KB. Save it next to the photo.

To verify five years from now, three things are required — none of which depend on Orphograph still existing:

1. The original file (the holder has it).

2. The receipt and .ots files (the holder saved them).

3. A copy of the open-source verifier — available at orphograph.com/verify/ (MIT, roughly 100 lines of Python; a paranoid holder can keep a local copy).

Plus, optionally, the public Bitcoin chain, which is replicated across tens of thousands of independent nodes worldwide.

That is the contract. The math, not the issuing company, is the trust.

What to actually save

Here's the minimum-paranoid backup posture:

Tier 1 — what you save next to every photo (zero effort)

Just save the receipt JSON next to your photo, like an .xmp sidecar. The five .ots files are tiny; tar them up alongside.

my_photo.jpg
  my_photo.jpg.orpho.json     ← the receipt
  my_photo.jpg.orpho.tar      ← the 5 .ots files

Most photographers already do something like this for RAW + JPG pairs. Add .orpho.json to the workflow and the job is done. The Orphograph folder-watcher CLI does this automatically.

Tier 2 — what you save in case of zombie internet (low effort)

Once, save a copy of the verifier somewhere you control:

curl -O https://orphograph.com/verify/orphograph-verify-0.1.tar.gz

Throw it on the existing photo backup drive. The tarball is 5KB. If Orphograph goes away, the verifier is still there. If the verifier on the site changes versions later, the saved copy still verifies older receipts — the protocol is stable.

Tier 3 — what you save if you're really worried (moderate effort)

Run the OpenTimestamps client yourself to "upgrade" your .ots files into full Bitcoin merkle proofs. This bakes the entire Bitcoin transaction proof into the .ots file, so verification becomes:

1. Re-hash the original file

2. Walk the merkle path inside the .ots to a Bitcoin block hash

3. Verify the block hash against the public chain

No company involved. No website needed. Pure cryptography against a public ledger.

pip install opentimestamps-client
  ots upgrade my_photo.jpg.orpho.tar/*.ots
  ots verify my_photo.jpg.orpho.tar/*.ots

If you're anchoring evidence-grade work (legal disputes, IP litigation), do this for every important receipt within a week of anchoring. The .ots upgrade locks the proof to a specific Bitcoin block, after which no future events can affect it.

Tier 4 — what you save if you're a working journalist or whistleblower (high effort)

For the highest-paranoia use cases:

1. Upgrade the .ots files (tier 3).

2. Anchor your full archive to multiple chains (BTC + ETH + ICP via different services) so a Bitcoin-specific failure doesn't take you down.

3. Store the receipts on physically distributed media (a USB stick in a safe deposit box, a copy at a trusted family member's house, an offline-capable hard drive in your studio).

4. Anchor the receipts themselves periodically (Orphograph can anchor any file — including a .tar.gz of your other receipts).

This is overkill for 99% of photographers. It's the right move if you're documenting human-rights abuses or sitting on a Pulitzer-shaped story.

What can actually still kill your receipt

To be honest about the threat model:

The one threat Orphograph cannot insulate a holder from: losing the receipt file. The cryptography is durable; user error is the limit.

Why this is written this way

Most SaaS services ask the customer to trust the company and hope the question of long-term durability never comes up. Photographers especially think in decade-long horizons — an archive is forever, and a proof tied to a specific company's continued existence is structurally incompatible with that.

Orphograph exists because the protocol — OpenTimestamps plus Bitcoin — already solves this. The Orphograph wrapper makes the protocol accessible without pip install. The receipts are the same shape OpenTimestamps would issue directly. No proprietary fields, no watermarks, no reserved right to invalidate.

If Orphograph is around in 10 years: useful. If not: the receipts still work.

That is the whole pitch.

Orphograph is a Bitcoin file-timestamping service. Three free anchors every 24 hours. Pack of Fifty: $29 one-time, credits never expire. Standing Order: $9/month for unlimited. Open-source verifier at /verify/. Receipts verify against any Bitcoin node, independent of Orphograph. Related: why five calendars and not one. Method overview: the verifier source, annotated.

Published 2026-05-17. More from the blog.

Start here: What this office actually does.