TSL8 is short for tessellate, but the real name comes from the verification step — the thing that makes the rest of it work. A recipient opens a TSL8 and needs to know one thing before they spend a minute on it: this came from a person I can find on the public record.
Not a stranger. Not a spoof. Not a cold pitch laundered through an AI.
Verification works like DNS domain-control proof. You don't upload a scan of your passport. You prove that you control the public identity you're claiming.
The sender arrives at tsl8.app and claims a public identity —
most commonly linkedin.com/in/your-handle. A personal domain,
a GitHub profile, or an organization page work the same way.
TSL8 issues a short, human-legible proof token.
Three random dictionary words, namespaced. Unique to this sender, this claim, this moment.
The sender places the token somewhere visible on the claimed profile —
the About section, a pinned post, a GitHub README, a /.well-known/tsl8
file on their domain. Anywhere a person clicking through can see it.
The sender clicks "verify." TSL8 fetches the public profile, looks for the token, confirms. No scraping, no data harvest, no handshake with LinkedIn's API — TSL8 just reads the string the sender placed on a page they already control.
The sender can now mint TSL8s. The token can be removed from the profile afterward; the claim persists because control was proven once. Same contract as proving you own a domain before issuing a TLS certificate.
The asymmetry is the spam filter. Readers aren't stopped by anything, which is why a TSL8 can spread freely. Writers pay a one-time cost in proving who they are, which is why what circulates inside the format tends to be signed by real, continuous public people.
Reading a TSL8 requires nothing. No signup, no email, no tracking pixel. A recipient opens a link and reads.
Creating a TSL8 requires verification. Senders prove identity once, before they can mint an envelope with their name on it.
Replying to a TSL8 requires verification. A reader who wants to push back in writing steps through the same five-step proof.
When a recipient decides they want to talk to the crew or write a reply, there's a second, smaller handshake. The crew asks permission; the recipient grants it per-conversation, or not at all.
Verification is mutual and scoped per-document. The sender proves who they are once, globally. The recipient opts in per TSL8, only for this conversation. No one accumulates a profile across documents.
A standard short-link dies after N days, or never. A TSL8 link dies after the conversation with the crew completes — the recipient has asked their questions, gotten their answers, decided whether to reply. The link "spends itself" on a real exchange, not on a pageview. A sender can distribute freely. The cost is one meaningful conversation per token, not one view per token.
The expiration is a natural consequence of the exchange, not a surveillance timer.
The crew can be declined. The verification block can be read and the recipient can close the tab. No tracking, no read-receipts, no Tom has read your reply. A TSL8 is a letter, not a pixel.