🚀 We're in beta — apply for free access while we onboard founding customers.Apply now →
Aclamos
Sign inStart free
Voting (Ballotis)
Voting (Ballotis)

Verifiable Ballotis voting: receipts, audit chain, public re-tally

Turn on E2E-verifiable mode so every voter can confirm their vote was counted and any observer can re-tally the election.

Updated 2026-05-01 · #verifiable · #e2e-v · #audit · #chain · #receipt · #tamper-evident

What it is

A tamper-evident audit log of every vote. Each cast vote produces a SHA-256 hash that chains back to the previous vote's hash. Voters get a per-vote receipt token they can save; observers can walk the entire chain and re-tally locally.

If anyone (including Aclamos) tries to insert, delete, or mutate a vote after it was cast, the chain breaks at that position and the public verification page reports the break.

How to enable

/[org]/polls/[id] → check End-to-end verifiable mode before the poll opens. Lock it in early — toggling mid-ballot leaves earlier votes unchained.

When the first vote arrives, Aclamos generates a chain seed (32 bytes of entropy) that anchors the chain. That seed is published on the verification page so anyone can re-walk the chain.

What voters see

After casting, the voter is shown one receipt token per ballot row, like:

#42 · bvr_aBcD1234EFgh5678...

Plus a "Verify your vote" button. They can save the token (paste into their notes, photo it, email to themselves) and use it any time at /verify/receipt?token=... to confirm:

  • The vote is still in the chain
  • What option was recorded
  • What chain position it's at

What observers see

/verify/[pollId] is a public page that:

  1. Re-walks the chain from the seed and reports integrity (every hash matches; nothing missing).
  2. Shows a live re-tally computed from chain data (excluding superseded votes).
  3. Lists every chain entry with hash, option, position, timestamp.
  4. Offers the raw JSON at /api/polls/[id]/verify so anyone can re-verify locally with their own code.

What this proves — and what it doesn't

Proves: the audit log hasn't been mutated since each vote was cast. No insertions, deletions, or score changes.

Doesn't prove: ballot secrecy from the producer running the ballot. Vote contents are stored cleartext on Aclamos's servers; this is a transparent log, not Helios-style threshold encryption.

For statutory elections that require ballot secrecy from the host (university student governments, regulated union elections), the Elections tier offers a multi-trustee threshold-encrypted mode where Aclamos itself can't read votes. Contact sales@aclamos.app.

Performance

A few hundred votes per second sustained on a single Postgres instance. The chain insert is serialized via transaction so a high-burst poll can have a small queue, but voters never wait more than a few hundred ms.

Best practices

  • Lock verifiable mode on before opening the poll.
  • For the highest-stakes votes, publish the chain seed and the head hash to a public off-platform record (X / Mastodon thread, your annual report) the moment voting closes — that timestamps the chain externally and makes any later tampering provable to a third party.
  • Issue observer accounts to a non-Aclamos auditor so they can monitor the chain in real time.
Read next
Voting (Ballotis)

Ballotis voting: methods, anti-fraud, and presets

Set up a public vote, fan vote, or board election with the right integrity dial.

Open
Getting started

Getting started: from sign-up to your first nomination

Sign up, spin up a show, send the public submission URL.

Open
Getting started

AI Show Director: build a show from a 1-paragraph brief

How the AI Director works, what it can and can't do, and how to get good output.

Open
Getting started

Show templates: clone a pre-built show in one click

What's in each official template, when to pick a template over the AI Director, and how cloning works.

Open
Verifiable Ballotis voting: receipts, audit chain, public re-tally · Aclamos