Skip to main content

Proof of Location

In one sentence

A proof of location is a signed, time-stamped statement that a verifier can check independently. They do not need to trust the SDK, the device, or Octet.

Why we need this

A claim like "the user was in the US on Tuesday at 3 pm" can come from many places: the OS, the device's GPS chip, a browser API, a mock-location app. Most of those can be forged trivially. A claim becomes useful only when a third party (your backend, an auditor, a regulator) can verify it without trusting the claimant.

The Octet SDK exists to produce those claims. Every YES or NO answer it gives you carries a proof artifact you can:

  • Forward to your backend, which can verify it offline using Octet's published public keys.
  • Hand to a compliance auditor, who can re-verify it months later.
  • Store as a permanent record: "at this time, the device claimed this place, and here's the signed witness."

A YES without a proof is just an opinion. The SDK never produces one.

How it works (in a nutshell)

The SDK collects evidence from many independent sources on the device. Sensor fusion combines GNSS, cellular network identity, motion sensors, and platform attestation (Apple App Attest, Google Play Integrity) into a verdict that includes a cryptographic proof. The signing key lives in the device's hardware root of trust (the Secure Enclave on iOS, the Trusted Execution Environment on Android) and never leaves the chip. The proof itself is a signed protobuf that names:

  • The claimed region (e.g. country US, or a disc of radius 250 m).
  • The time of fix and how long the claim is plausibly valid.
  • A confidence summary capturing what the SDK saw (and did not see).
  • An attestation chain binding the proof to a genuine device and a genuine OctetSDK binary.

You do not need to understand the internals to use the SDK. You call isWithin(region). You get back a Verdict with a proof. If something is off (rooted device, mocked location, jammed GPS), the proof is not issued and the verdict comes back INDETERMINATE with a structured reason.

What the SDK does NOT promise

  • The SDK does not tell you "is the user spoofing?". It tells you whether a proof can be issued. Spoof signals fold into the verdict.
  • The SDK does not promise a YES in every environment. On emulators, indoors with no cellular, on rooted devices, or with a mock-location app running, the answer is INDETERMINATE.
  • The SDK does not predict the future. A proof says "the device was here at time T". It does not say "the device will still be here a minute from now." See Time Semantics.

Where to go next

  • Verdicts. The YES / NO / INDETERMINATE trichotomy and how to interpret the reason code.
  • Regions. What kinds of areas you can ask about.
  • Time Semantics. How atTime and proof validity intervals interact.