Skip to main content
02Proof of human / Identity

PulseProof

by Yashesh Bharti
A proof-of-humanity infrastructure built by Yashesh Bharti. Verifies a living human from the pulse in their face or wrist, on the device, in under two seconds, without sending any biometric data to a server.
Status
Live
Verify
< 2s
API
< 200ms
01Problem

CAPTCHA is finished

Bots have surpassed CAPTCHA. Face-scan vendors are invasive and centralised. Device fingerprinting and behavioural biometrics are easy to spoof. None of these techniques can authorise an AI agent acting on a human's behalf, and none give the relying party a cryptographic guarantee that a real human was on the other side at that moment.

02Product

A signed proof in two seconds

The PulseProof SDK runs a short remote photoplethysmography (rPPG) read using the device's camera, detects the live cardiac signal in the user's face, and converts it into a signed verification token. The token is the only artifact that ever leaves the device. Backends call a single verify endpoint and get a boolean plus signed metadata about strength and freshness.

03What I built

Capabilities

On-device pulse
Remote photoplethysmography reads blood-volume changes through the skin via the camera.
Cryptographic token
ML output is compressed into a signed proof token. Raw biometric data is discarded after verification.
Three SDKs
Drop-in Swift, Kotlin, and @pulseproof/web packages with a single verify call.
Spoof resistance
Rejects photos, masks, and screen replays. 99.7% accuracy in internal benchmarks.
Clinical accuracy
Heart rate within 1 to 3 BPM of clinical ECG. Comparable to Apple Watch PPG.
Trust tiers
Levels for financial, healthcare, KYC, marketplace, AI agent authorisation, government, and dating use cases.
04Architecture

On-device by construction

The pulse signal never leaves the phone. The SDK runs a short rPPG capture, extracts the cardiac waveform on the CPU/NPU, evaluates liveness against a model that distinguishes a beating heart from a flat surface, and emits a signed token bound to the verifier's public key and a nonce. The verify endpoint validates the signature and freshness, then returns a single boolean plus a strength score. No biometric database is ever populated, server side or client side.

05Technical stack

Stack

Capture
rPPG via device camera
ML
On-device inference (CPU/NPU)
Token
Signed, time-bound, single-use
iOS SDK
Swift, import PulseProofSDK
Android SDK
Kotlin
Web SDK
@pulseproof/web (npm)
Compliance
SOC 2 Type II, GDPR, HIPAA, ISO 27001, PCI DSS, CCPA, NIST, FedRAMP Ready
06Product decisions

Why this shape

  • Liveness without enrolment. Most face vendors require a stored template. PulseProof does not. There is nothing to leak because nothing is kept.
  • Pulse, not face geometry. A pulse signal cannot be lifted from a photo, a mask, or a screen replay. It is also categorically not an identity, so it does not introduce a new biometric identifier into the verifier's database.
  • The token is the product. A short-lived, signed proof of liveness is what the verifier actually needs. Building the SDK around the token, rather than around "raw biometric data", is what makes the privacy posture defensible.
  • Three SDKs, one API. A backend that learns the verify call once supports iOS, Android, and Web users on day one.
07Security and privacy

Defense by absence

No biometric data crosses the network. No device fingerprint is stored. The verifier receives only a signed token and a strength score. Compliance posture covers SOC 2 Type II, GDPR, HIPAA, ISO 27001, PCI DSS, CCPA, NIST, and FedRAMP Ready alignment, so regulated industries can adopt without a parallel privacy review.

08Outcome

Where it stands

PulseProof ships live SDKs for iOS, Android, and Web. The free tier covers 1,000 verifications per month, the growth tier 10,000, and the enterprise tier is custom with on-premise option. The platform is targeted at use cases where the question is not "who are you" but "are you a human who is here right now": AI agent authorisation, financial step-up, healthcare login, marketplace trust, and bot-free platforms.

09Links

Read more

← All work notesPulseProof / by Yashesh Bharti