How to Deliver a Brand Attestation Certificate to a Client
A brand attestation certificate creates a permanent, tamper-evident record of what you delivered and when. When a client questions whether a logo was the approved version, or disputes what was in a deliverable, the certificate resolves it: here is the file hash, here is the timestamp, here is the verification link.
This guide walks through the complete workflow from first login to sharing the certificate with a client. The whole process takes under five minutes for the first attestation, and under two minutes once you have done it once.
What you need before you start
- A Merlonix account — start a free trial at merlonix.com/pricing/ (no credit card required)
- The hostname or domain associated with the asset you are attesting (e.g.,
clienta.com) - A description of what you are certifying (e.g., "Final brand kit v3 — approved 2026-04-30")
You do not need to upload the file itself. Merlonix attests the asset domain and your declaration — not the file contents. If you need file-hash attestation for specific deliverables, include the file hash in your description.
Step 1: Sign in
Go to app.merlonix.com and enter your email address. Merlonix uses magic-link authentication — click the link in the email and you land on the dashboard. No password.
Step 2: Create an asset
An asset represents the domain or hostname associated with the deliverable you are attesting.
From the Assets tab, click Add asset and fill in:
| Field | What to enter |
|---|---|
| Label | A human-readable name: Client A — main brand |
| Domain | The client's domain: clienta.com |
Click Save. The asset is created and the first SSL and DNS check is queued automatically.
If you already have the asset: skip this step. You can attest the same asset multiple times — each attestation is its own certificate.
Step 3: Start a new attestation
Navigate to Attestations → New attestation.
Select the asset you just created (or an existing one). You will see three verification methods:
| Method | How it works | Good for |
|---|---|---|
| DNS TXT record | Add a TXT record at _merlonix-verify.<domain> | When you have access to the client's DNS |
| HTTP file | Serve a file at /.well-known/merlonix-<token>.txt | When you have access to the client's web server |
| Email verification | Merlonix confirms via admin@<domain> or similar | For domains where you control the admin email |
Choose DNS TXT if you manage the client's DNS — it is the fastest and most reliable method.
Step 4: Complete the verification challenge
DNS TXT method
Merlonix gives you a token — a 64-character hex string. Add a TXT record to the client's DNS zone:
| Record type | Host | Value |
|---|---|---|
| TXT | _merlonix-verify.clienta.com | <the token Merlonix showed you> |
DNS propagation typically takes 30–120 seconds for most providers (Cloudflare, Route 53). Once the record is live, click Verify now.
HTTP file method
Download the challenge file Merlonix provides (or create a text file containing only the token). Upload it to:
https://clienta.com/.well-known/merlonix-<token>.txt
The file must be publicly accessible over HTTPS. Click Verify now once it is in place.
If verification fails
- DNS: confirm the TXT record is on the correct host (
_merlonix-verify.clienta.com, not just_merlonix-verify). Check propagation withdig TXT _merlonix-verify.clienta.com. - HTTP: confirm the URL is accessible from outside your network (try in an incognito window or with
curl https://clienta.com/.well-known/merlonix-<token>.txt).
Step 5: The certificate is issued
After successful verification, the attestation certificate is issued immediately. You will see:
- Certificate ID — a unique identifier for this attestation
- Verified at timestamp — the exact moment verification completed
- Verification URL — the public link your client uses to check the certificate
The certificate is permanent. It cannot be modified or backdated. If an asset is superseded, you revoke it (see below) — the revocation is also timestamped and visible on the verification URL.
Step 6: Deliver the certificate to your client
Include the verification URL in your delivery. A simple one-liner in the handoff email is enough:
Certificate of authenticity for this brand kit:
https://merlonix.com/verify/<certificate-id>Anyone can verify this certificate at any time. It confirms the domain, the attestation date, and the verification method used.
In a client onboarding document or SoW:
Add a section for "Brand asset certificates" listing each certificate URL with the asset it covers. This gives the client a permanent reference to check against if a dispute arises later.
In an agency-branded PDF deliverable:
Include the certificate URL in a footer or appendix. If your workflow involves generating a PDF at delivery time, the certificate URL is stable — it will still resolve years later.
Managing attestations after delivery
Revoking a certificate
If a deliverable is superseded (a revised logo replaces the original), or if an asset is disputed, revoke the certificate:
- Go to Attestations
- Find the certificate
- Click Revoke and enter a reason (e.g., "Superseded by v4 approved 2026-05-15")
Anyone who visits the old verification URL immediately sees the revoked status and the reason. The timestamp of the original attestation is preserved — the record is not deleted, only marked revoked.
Issuing a replacement certificate
After revoking the old one, issue a new attestation for the updated asset using the same workflow. The new certificate is a fresh record with its own timestamp.
Viewing all certificates for a client
Navigate to Attestations and filter by the asset name. You will see all active and revoked certificates for that domain, in chronological order.
Frequently asked questions
Does my client need a Merlonix account to view the certificate? No. The verification URL is public. Anyone with the link can check the certificate status, the timestamp, and the verification method without logging in.
What if I lose the verification URL? It is always accessible from Attestations — open the attestation record to find the URL again.
Can I attest the same domain multiple times? Yes. Each attestation is a separate certificate. Attesting a domain for a logo delivery and again for a campaign brief produces two independent certificates.
How long does the certificate remain valid?
Active certificates do not expire. They remain valid until you revoke them. DNS-method certificates renew automatically; if the DNS record is removed, the certificate status changes to challenge_expired after 90 days.
Related:
- Getting Started with Merlonix — full account setup walkthrough
- Agency Client Onboarding Checklist: Brand Assets and Digital Certificates — complete onboarding process
- Certificate of Authenticity Software: Buyer's Guide — how to evaluate options