TweetCert Documentation

Learn how to use accounts, certify tweets, and manage followings.

Also see our Terms & Conditions and Legal Notice.

Legal Use, GDPR, and Technology Overview (EU)

Legal use (EU context)

Use the app to preserve and evidence the state of public X/Twitter posts at a given time (for compliance, audit, litigation support, or records management).
Respect platform terms and applicable EU laws, including copyright, privacy/data protection, and evidentiary rules in your Member State.
Certificates include metadata and integrity proofs; they do not transfer ownership or licensing of the original content.

GDPR and data protection

Roles: Depending on your use, you may act as a data controller; we may act as a processor or joint controller for certain operations.
Lawful basis (Art. 6 GDPR): Typically legitimate interests for evidence preservation; if applicable, consent or contract may also apply.
Data minimisation (Art. 5): We store only what is needed to reproduce the certificate and verify integrity.
Data subject rights (Arts. 12–23): Access, rectification, erasure, restriction, objection, and portability requests are supported via our support contact.
Retention: Certificates and related metadata are retained only as long as necessary for the stated purpose; deletion is available through account removal.
International transfers (Ch. V): If data leaves the EEA, we use appropriate safeguards (e.g., SCCs) where required.
DPIA: If your use case is high-risk, conduct a DPIA and implement additional safeguards where necessary.

Technologies

Authentication with NextAuth and Google (OAuth 2.0 / OpenID Connect).
Certificates generated as PDF with embedded metadata and a SHA-256 hash.
Optional RFC 3161 Time-Stamp Authority (TSA) token; where available, aligned with eIDAS qualified timestamp services.

Security measures

Transport security via HTTPS/TLS 1.2+; recommended TLS 1.3.
Authentication gates for protected actions; Google OAuth with session checks on the client and server.
Integrity verification with SHA-256 digests embedded in the PDF; optional TSA tokens to provide trusted timestamps.
Secrets managed via environment variables; least-privilege access; no secrets in client bundles.
Backups, logging, and incident response procedures proportionate to risk; encryption at rest where supported by the hosting provider.

Protocols and standards

OAuth 2.0 / OpenID Connect for authentication (NextAuth + Google).
HTTPS/TLS 1.2+ for transport security; modern ciphersuites.
SHA-256 (FIPS 180-4) for hashing.
RFC 3161 Time-Stamp Protocol (TSP); when available, eIDAS-qualified timestamp services (e.g., ETSI EN 319 421).
ETSI EN 319 401 policy framework considerations for trust services where applicable.
PDF as the certificate distribution format.

Cookies and consent

Where required by EU ePrivacy rules, we present consent for non-essential cookies/trackers; strictly necessary cookies may be used without consent.
Our Privacy Notice details purposes, recipients, and rights; contact our support for DSRs (data subject requests).

Account

Sign in using the Google button in the header. Your account is required to create followings and certify tweets so we can store your certificates securely.

Sign in/out: Use the Google button in the top-right of the navigation bar.
Data stored: We store tweet metadata, the generated PDF certificate, and integrity hashes to verify authenticity.
Access control: Your saved items are tied to your user account.

Delete account

Deleting your account will permanently remove your data. This action cannot be undone.

Removes your document from users.
Removes linked records in accounts and subscriptions.

Endpoint

DELETE /api/account

Example:

await fetch('/api/account', { method: 'DELETE' })
  .then(r => r.json())

Certification tweets

Certifying a tweet creates a signed PDF containing the tweet's metadata and a SHA-256 integrity hash. This allows you to preserve the content state at the time of certification.

Click Certify on the home page.
Paste the public X/Twitter post URL (e.g., https://x.com/<user>/status/<id>).
Submit to generate the certificate and automatically download the PDF.

What is included: Tweet ID, URL, text, author info, basic metadata, and the SHA-256 hash.
Storage: A copy of the PDF is stored so you can re-download it later.
Troubleshooting: Ensure the URL is a direct tweet link and you are signed in.

ZIP password protection

You can protect ZIP downloads with a personal password. When enabled, per‑tweet ZIP downloads will be encrypted and require your password to open. Regular PDF downloads are not affected.

How to set your password (UI)

Go to Account (top navigation) and find the section PDF open password.
Enter a new password (minimum 6 characters) and click Save. Use Clear to remove it.
From now on, when you download a certificate as ZIP, it will be encrypted with your password.

Downloading

On the certificate download options, choose Download ZIP to get an encrypted ZIP (if a password is set).
Regular PDF download is unchanged and does not use your password.

If no password is set, ZIP downloads fall back to a plain (unencrypted) ZIP.
Changing your password affects future ZIP downloads; previously downloaded ZIPs are not changed.
Bulk ZIPs (for followings) are currently delivered as plain ZIPs.
Keep your password safe; we cannot recover it for previously encrypted ZIPs.

Followings

Followings let you track specific users or topics. You can create and manage followings to automate actions or to keep organized lists.

Open Create Following.
Define your following parameters (e.g., account or topic).
Save to start tracking. You can adjust or remove followings later.

Visibility: Your followings are private to your account.
Editing: You can modify or delete followings at any time.

Notes & Limits

Public tweets only: Protected or deleted tweets cannot be certified.
API limits: External rate limits may temporarily affect certification speed.
Privacy: We only store data needed to reproduce the certificate and verify integrity.