โ† Dragonfly

๐Ÿ”’ Verify a Dragonfly signal

Every Dragonfly editorial signal is cryptographically signed with an Ed25519 private key the moment it's published. The canonical payload + signature for any signal is publicly accessible. Verification is trivial โ€” we can't quietly edit history, and you don't have to trust us to confirm what we said.

Quick verify (in this browser)

Manual verification (any environment)

Three public endpoints, no auth required:

GET /api/public-key                  # Ed25519 pubkey (base64) + fingerprint
GET /api/verify/<signal_id>          # canonical payload + signature
GET /api/signals                     # list of all published signal IDs

Python (5 lines)

import base64, requests, json
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey

pub = base64.b64decode(requests.get("https://tracker.officialdragonflysystems.com/api/public-key").json()["public_key"])
sig = requests.get(f"https://tracker.officialdragonflysystems.com/api/verify/{signal_id}").json()
payload = json.dumps(sig["payload"], sort_keys=True, separators=(",", ":"), ensure_ascii=False).encode("utf-8")
Ed25519PublicKey.from_public_bytes(pub).verify(base64.b64decode(sig["signature"]), payload)
# raises if invalid; silent return = signature matches

Node.js (7 lines)

const pub = await fetch('/api/public-key').then(r=>r.json());
const sig = await fetch(`/api/verify/${signal_id}`).then(r=>r.json());
const raw = Buffer.from(pub.public_key, 'base64');
const key = crypto.createPublicKey({ key: Buffer.concat([Buffer.from('302a300506032b6570032100','hex'), raw]), format: 'der', type: 'spki' });
const sorted = {}; Object.keys(sig.payload).sort().forEach(k => sorted[k] = sig.payload[k]);
const payload = Buffer.from(JSON.stringify(sorted), 'utf8');
crypto.verify(null, payload, key, Buffer.from(sig.signature, 'base64'));  // โ†’ true if valid

Why this matters

Most newsletters can quietly edit yesterday's prediction to look better. We can't โ€” the signature would no longer match the canonical payload, and anyone (you, a journalist, a competitor) can check.

Signing happens at publish time. Each signal carries the publish-day timestamp + a fingerprint (pubkey_fp) that marks our current signing key. Key rotation history is auditable.

On-chain anchoring

When we cross 50 paid subscribers, the SHA-256 hash of every signal's canonical payload gets written to Polygon + Base + Solana โ€” adding a layer that survives even if our servers vanish. The signing infrastructure today is the foundation that on-chain anchoring builds on.