Building Unforgeable Professional Endorsements with ATProtocol

Traditional professional endorsements on platforms like LinkedIn lack cryptographic proof—anyone could forge them, and the platform controls the truth. This article introduces a two-record architecture using ATProtocol's Content Identifiers (CIDs) and Decentralized Identifiers (DIDs) to create mathematically unforgeable mutual attestations. By separating proof creation from endorsement acceptance and leveraging the firehose for distributed validation, we build a system where both parties cryptographically consent and no central authority can manipulate the record.

by Nick Gerakines|

October 13, 2025

Picture this: You're scrolling through LinkedIn, and you see that your colleague has "endorsed" you for Python. Great! Except... did they really? Could they claim they never did it? Could you fake an endorsement from them? The answer is unsettling: maybe.

Traditional endorsement systems have a fundamental problem: they're one-sided attestations stored in centralized databases without cryptographic proof. When Alice endorses Bob for "distributed systems expertise," there's no mathematical proof that Alice actually created that endorsement and Bob actually accepted it. We're trusting LinkedIn to tell the truth, to preserve the data accurately, and to never alter the historical record. We're trusting the platform, not the math.

What if we could build an endorsement system where the cryptographic properties guarantee that both parties explicitly consented, nobody can forge or repudiate an endorsement, and there's no single company we have to trust? Enter ATProtocol and cryptographically-verified mutual attestations.

ATProtocol provides the perfect foundation for this through two killer features: Content Identifiers (CIDs) that create cryptographic fingerprints of data, and Decentralized Identifiers (DIDs) that enable self-sovereign identity without central account systems. The combination enables something powerful: unforgeable bidirectional consent where both the giver and receiver cryptographically commit to the endorsement, and anyone can verify its authenticity by checking the math, not by trusting a platform.

The Two-Record Architecture: Separating Commitment from Execution

Most developers' first instinct would be to create a single endorsement record that both parties sign. In the Atmosphere we can leverage ATProtocol's lexicon system to do something more elegant, a two-record architecture that separates the commitment phase from the execution phase.

The Proof Record

The first record type is the proof. This is created by the giver to cryptographically commit to the endorsement. It contains only a CID (Content Identifier) of the endorsement content. This is where minimalism becomes security. The CID is a cryptographic hash computed from the endorsement data. Alice creates this proof in her repository, cryptographically signing that she authored this specific endorsement.

The Endorsement Record

The second record type is the endorsement itself. This is created by the receiver when accepting the endorsement. It contains the actual content (giver, receiver, endorsement text) plus a signatures field that references Alice's proof record. This creates the cryptographic link: Bob's endorsement points to Alice's proof via a strongRef (AT-URI + CID). The CID in the signatures field must match the CID that Alice committed to in her proof record.

Why Two Records Instead of One?

This separation provides several critical properties:

Temporal Decoupling: Alice can create the proof while Bob is offline. Bob can review and accept days later. No coordination required.
Clear Consent: Bob must accept the endorsement explicitly. Passive acceptance isn't possible.
Independent Verification: Each record is signed by its creator using ATProtocol's repository signature mechanism.
Unforgeable Authorship: Alice's proof record cryptographically commits her to the endorsement content via the CID. She can't later claim she wrote different text.
Clean Rejection: If Bob doesn't create the endorsement record, it never becomes public.

The Workflow: Creating Mutual Attestation

Let's walk through the complete lifecycle:

Phase 1: Draft Creation

Alice wants to endorse Bob. She opens her endorsement app and fills out the form. At this point, nothing is on ATProtocol—the draft exists only in the application's database. Alice can iterate, edit, even delete the draft without any permanent records being created.

Phase 2: Giver Finalizes with Cryptographic Commitment

Alice reviews her draft and clicks "Finalize". The app computes the CID of the endorsement content and creates a proof record in Alice's repository. This proof is broadcast to the ATProtocol firehose. Alice has now published her commitment to endorse Bob with this specific content.

Phase 3: Receiver Reviews and Accepts

Bob receives a notification and reviews the draft. If he accepts, the app creates the endorsement record in Bob's repository, pointing to Alice's proof. The cryptographic chain is complete: Alice's proof commits to the endorsement content via CID, and Bob's endorsement references that proof. Both are independently signed in their respective repositories.

Phase 4: Asynchronous Validation

Here's where ATProtocol's architecture becomes powerful. Your app subscribes to the firehose and processes events. When it sees a new endorsement, it fetches the referenced proof and validates the cryptographic chain. No API calls to centralized servers. No trusting someone else's validation. Just math and distributed data.

Security Properties

This system provides robust security guarantees:

No Forgery: Eve can't create a fake proof from Alice—it must be in Alice's repository, and indirectly with her signature.

No Repudiation: Alice can't credibly deny creating a proof once it's broadcast. The cryptographic signature proves authorship.

No Modification: Any change to the endorsement content produces a different CID, breaking validation.

No Replay: Endorsements are bound to specific receiver DIDs through the CID. You can't reuse Alice's proof for a different receiver.

The security derives from cryptographic primitives: 256-bit elliptic curve signatures, SHA-256 collision-resistant hashing, and content addressing that binds proofs to specific content. The system is permissionless—you don't need anyone's permission to create, accept, or validate endorsements.

Why the Firehose Architecture Enables This

The firehose provides a fundamentally different model than traditional request-response APIs:

Offline operation: Alice can create endorsements without Bob being online
Eventual consistency: All apps eventually converge to the same validation state
Autonomous verification: Each app is a first-class validator using cryptographic proofs
Real-time updates: Events stream within seconds, not poll-based delays

This architecture eliminates single points of failure through distributed trust and mathematical guarantees.

Beyond Professional Endorsements

The same architecture applies to any scenario requiring bidirectional consent and unforgeable proof:

Academic peer review where reviewers and authors mutually attest
Educational credentials where institutions issue and graduates accept
Business contracts with independently verifiable signatures
Product reviews where both reviewer and seller acknowledge the transaction
Identity verification with mutual cryptographic commitment

The pattern naturally extends to multi-party collaborations—imagine a project record where Alice, Bob, and Carol all cryptographically commit to having worked together. Or consider privacy-preserving endorsements using zero-knowledge proofs: proving you have 5+ endorsements without revealing who gave them.

Conclusion

ATProtocol provides the cryptographic primitives to build systems where truth is mathematical, where users control their data, and where nobody—not you, not any platform—can forge or deny what happened. The future of professional reputation is cryptographically-verified and radically decentralized.

In Part 2, we'll dive deep into the implementation details: CID computation algorithms, validation code, firehose event processing, and attack resistance analysis. We'll explore the actual code that makes this system unforgeable.

Get updates from Nick's Blog!