How to Verify E2EE in NFLTR

Use this guide to confirm that a tunnel is really running in verified mode at the NFLTR relay, that the verified hostname points at the identity you expect, and that the proof artifacts match the agent fingerprint you trust. It starts with the plain-language version first.

What this guide covers

This tutorial is for the browser-facing verified tunnel flow: nfltr http --mode verified or the legacy --e2ee spelling.

Note on trust: NFLTR is preparing the agent for open-source publication. Once published, you can audit the code to verify how fingerprints are generated and reported.

WireGuard and P2P are also end-to-end encrypted, but they use different verification surfaces.

Minimal Verification Story

Think of a verified NFLTR tunnel like a locked truck:

your app puts the data in the truck and locks it
NFLTR drives the truck to the visitor
NFLTR should not be able to open the truck and read what is inside

If you only want the simple version, check these three things:

Check	Plain-English meaning	Why it matters
The tunnel says `Verified`	You started the tunnel in verified mode.	NFLTR should be forwarding encrypted traffic, not inspectable HTTP.
The proof JSON says `blind_relay: true`	The public proof endpoint says the NFLTR relay is classifying this route as agent-terminated TLS.	This is the server's public statement about route mode at the NFLTR layer.
`tls_fingerprint` in the proof JSON matches the agent fingerprint	The proof is talking about the same certificate your agent is actually using.	This confirms identity continuity for the certificate serving the route.

The short answer

If those three things line up, you have strong evidence that NFLTR itself is routing the endpoint in verified mode and that the proof artifacts describe the same certificate identity your agent started with. If you only do one technical check, do the fingerprint match.

Why this proof works

Fingerprint matching is hard to fake because changing TLS identity means changing the private key. If the relay showed you a different fingerprint, it would be a different certificate identity. A matching fingerprint means the proof artifacts and the agent startup banner are talking about the same identity, not a substituted one.
blind_relay: true is the relay's public claim about that same identity. The proof page is not asking you to trust an anonymous statement. It publishes blind_relay: true alongside the exact tls_fingerprint you matched, so the route-mode claim is tied to the same TLS identity you started the tunnel with.
What you are verifying is the link between identity and claim. Matching fingerprints means same identity. blind_relay: true means that identity is claiming NFLTR did not read HTTP content for this route.
The agent honestly reports its fingerprint. The agent binary (or source code once publication is available) prints the real fingerprint of the TLS certificate it is using. As open-source artifacts roll out, you can audit this behavior and verify reproducible builds match the source.

Why you should trust this

If the relay claims blind relay but actually read your data, it is making a false public claim under a specific TLS identity that can be logged, audited, and compared over time.
trust_state: Transparency Verified makes that stronger because it adds historical accountability. Identity alone says who is making the claim right now. Transparency says this identity was logged and the append-only chain verified, which makes silent substitution harder.
For deeper trust: As the agent open-source rollout lands, you can audit exactly how the certificate fingerprint is printed and used. You can verify the binary matches the source via reproducible builds. This reduces reliance on binary-only trust.
This is an accountability model, not magic. You are trusting this identity's claim now, while keeping evidence you can audit later.

What is proven

You have verified that the TLS identity claiming blind_relay: true is the same identity the agent started the tunnel with.
The relay publicly classifies this route as agent-terminated TLS rather than inspectable HTTP.
Making that claim under a linked identity creates accountability because false claims can be audited later.

What is not proven

Metadata handling: Fingerprint verification proves the relay cannot read your payload. It does not verify what metadata (IP, timing, byte counts, hostnames) NFLTR logs or retains. Review NFLTR's privacy policy and retention practices separately.
Persistent trustworthiness: This verification proves the current identity is linked to the current blind_relay=true claim. It does not guarantee NFLTR will keep this promise in the future or never change the code.
Requests after tunnel restart: Once the tunnel is restarted, the agent may generate a new certificate with a different fingerprint. If the fingerprint changes, you are verifying a different identity. Re-verify if it matters for your use case.
End-to-end trustworthiness beyond the relay: This verification proves the relay cannot read your payload at the relay. It does not prove that the user visiting your tunnel cannot be observed by network eavesdroppers, ISPs, or compromised endpoints.

Common confusion

"The fingerprint match means the same identity. Blind relay is what that identity claims."

If the operator breaks that promise later, the identity or the proof state would need to change, and you would have evidence that something changed. However, if the tunnel is restarted, the fingerprint may be different (new certificate), so you would be verifying a different identity than before. Each tunnel session has its own fingerprint-to-claim verification.

What You Are Verifying

Signal	Where to check	What it proves
Verified mode badge	CLI banner and dashboard	The tunnel is configured for verified mode rather than inspectable HTTP.
Verified E2EE Hostname = ready	Dashboard Route Catalog	A stable verified hostname is published for this agent.
`blind_relay: true`	Public proof JSON	The server classifies this route as an agent-terminated TLS path at the NFLTR layer.
`trust_state: Transparency Verified`	Proof page or proof JSON	The identity is present in the transparency log and the append-only transparency chain verified.
`tls_fingerprint` matches the CLI banner	Agent startup output + proof JSON	The proof artifacts refer to the same TLS identity the agent generated or loaded.
Traffic Inspector stays empty	Dashboard Traffic panel	The NFLTR relay did not capture plaintext HTTP for this verified route.

Prerequisites

The agent is running with --mode verified or --e2ee.
The server has a verified base domain configured if you want a stable hostname:
--e2ee.tls_passthrough.base_domain=secure.example.com
Your wildcard DNS already points at the relay.

If the verified hostname is missing or stuck in configure state, use Cloudflare DNS Helper first.

1. Start a Verified Tunnel

# local test service
python3 -m http.server 3000

# verified tunnel
nfltr http 3000 --mode verified --name demo-app --no-share

In the CLI output, confirm all of these are present:

Tunnel Mode Verified
E2EE enabled
Fingerprint ...
a forwarding URL such as https://nfltr.xyz/browse/demo-app/

Save the fingerprint

Keep the SHA-256 fingerprint printed by the agent. You will compare it to the proof JSON later to confirm identity continuity.

2. Check the Dashboard

Open the dashboard and find the agent card.

You want to see:

the Verified mode badge
an active E2EE panel
a Verified E2EE Hostname entry in the Route Catalog
the verified hostname status set to ready
a Proof bundle action next to that hostname

You should also expect the opposite of inspectable mode behavior: Traffic Inspector stays empty because the relay cannot inspect plaintext traffic.

3. Open the Public Proof Artifacts

For an agent named demo-app, the three proof endpoints are:

https://your-server.example/proof/demo-app
https://your-server.example/proof/demo-app.json
https://your-server.example/proof/demo-app.zip

The JSON endpoint is the easiest place to verify raw facts. A healthy verified tunnel looks like this:

{
  "agent_id": "demo-app",
  "verified_hostname": "https://demo-app.secure.example.com/",
  "blind_relay": true,
  "trust_state": "Transparency Verified",
  "transparency_logged": true,
  "chain_verified": true,
  "tls_fingerprint": "AA:BB:CC:..."
}

Check these fields:

verified_hostname is present and points at the hostname users should visit.
blind_relay is true, meaning the NFLTR relay is classifying this route as agent-terminated TLS.
transparency_logged is true.
chain_verified is true when the full append-only transparency log chain verified.
tls_fingerprint matches the fingerprint printed by the agent when it started.

4. Download the Proof Bundle

The proof bundle is the durable audit artifact you can save alongside a deployment, security review, or customer handoff.

It contains:

README.txt
proof.json
transparency-history.json when transparency entries exist

If you need to prove what identity was live at a specific point in time, the ZIP is the easiest artifact to keep.

5. Understand the Trust States

Trust state	Meaning	What to do
Transparency Verified	The current identity is in the transparency log and the append-only transparency chain verified successfully.	This is the strongest verification result.
Transparency Logged	The identity is present in the transparency log, but this view did not confirm the stronger full-chain transparency result.	Usually acceptable; check the proof page or JSON for the stronger chain result.
TOFU / Fingerprint Pinning	No matching transparency entry was available.	Compare and pin the fingerprint directly, or use a CA-backed certificate.
ACME Provisioning	The agent requested a public certificate but issuance is still in progress.	Wait for issuance to complete before treating the route as fully verified.

In practice, the dashboard often shows Transparency Logged, while the public proof page or JSON can upgrade that result to Transparency Verified after a full chain check.

6. What Fingerprint Matching Actually Proves

Fingerprint matching is an identity check, not a complete proof about every hop on the network path.

Signal	Meaning
Fingerprint matches	The proof artifacts and the CLI banner are talking about the same TLS certificate identity.
Fingerprint matches	The verified hostname is expected to terminate TLS at that agent when the hostname reaches the agent directly.
Still possible	A CDN or reverse proxy in front of nfltr.xyz can still terminate the outer TLS connection and inspect plaintext before it reaches NFLTR.
Still visible	The relay can still see hostname, timing, client IP, and byte counts even in verified mode.

7. Optional Advanced Check: Verify the Agent Source Code

If you want the strongest possible verification, you can audit the agent source code and build from source instead of using a binary.

Why this matters: The verification flow relies on the agent honestly reporting its TLS certificate fingerprint. During open-source rollout, you can:

Audit the agent code to confirm it prints the real fingerprint of the certificate it uses
Verify the certificate used for reporting is the same certificate used for the user-facing TLS connection
Build the agent yourself from source and verify reproducible builds match the official binary

Steps:

Clone the agent repository (URL to be added when agent is open-sourced)
Review cmd/nfltr/main.go and related certificate handling code
Build from source:
```
go build -o nfltr ./cmd/nfltr
```
Run your own build and compare the fingerprint output to the official proof page
Verify reproducible builds: Compare binary hash to official release builds

This removes the need to trust a closed-source binary — you can verify the behavior directly from the code.

8. Optional Advanced Check: Compare the Certificate Directly

Only do this when the verified hostname exposes the agent's certificate directly. If a CDN or reverse proxy terminates TLS in front of the relay, use the proof JSON and proof bundle as your trust anchor instead.

openssl s_client \
  -connect demo-app.secure.example.com:443 \
  -servername demo-app.secure.example.com </dev/null 2>/dev/null \
  | openssl x509 -noout -fingerprint -sha256

Compare the printed fingerprint to tls_fingerprint in the proof JSON.

9. Troubleshooting

Symptom	Likely cause	Fix
Agent shows Inspectable instead of Verified	The tunnel was started without `--mode verified` or with `--mode inspectable`.	Restart the tunnel in verified mode.
Verified hostname missing	`e2ee.tls_passthrough.base_domain` is not configured.	Configure the server flag and wildcard DNS.
Proof JSON has `blind_relay: false`	You are checking a relay-visible route, not a verified route.	Use the verified hostname and verified tunnel mode.
`chain_verified` is false but `transparency_logged` is true	The identity is logged, but the stronger full-chain result was not available for that view.	Refresh later or rely on the logged state plus the fingerprint.
Browser shows a certificate warning	The agent is using a self-signed certificate.	This is normal for self-signed verified mode; compare the fingerprint instead of expecting a public CA padlock.
Traffic Inspector is empty	The route is verified and the NFLTR relay did not see plaintext HTTP.	No action needed.

Quick Checklist

Start the tunnel with --mode verified.
Save the fingerprint shown in the CLI banner.
Confirm the dashboard shows Verified mode.
Open /proof/<agent>.json and verify blind_relay = true and that the fingerprint matches the CLI output.
If you want the stronger check, confirm the Route Catalog shows Verified E2EE Hostname in ready state and the proof JSON reports a good trust state.
Download the proof bundle if you need a durable audit artifact.

Success Checklist

You can explain in one sentence why the fingerprint match matters: same identity means the same party is accountable for the claim.
You can explain why Transparency Verified is stronger than identity alone: it adds append-only historical evidence on top of the current identity match.
You understand the trade-off: you are trusting this identity's claim now, but you can audit that claim later through the proof bundle and transparency history.
(For maximum verification confidence) You have audited the agent source code or built the agent from source to confirm it honestly reports its TLS certificate fingerprint.