How a Macfax report is bound to one specific Mac.
The five components that make a Macfax report un-replayable across devices. Plain English first; cryptographic depth as you scroll.
Server-issued nonce
Every report request begins with a server-issued nonce. The seller's app embeds it in the diagnostic payload. This prevents replay attacks where a seller would save an old report and reuse it for a different device.
Apple's Activation Lock attestation
Before any heavy diagnostic runs, we check Apple's Activation Lock and Find My state. A device with Activation Lock on cannot be transferred to a buyer; we surface that immediately rather than letting the seller waste 45 minutes on burn-in.
Device-bound key fingerprint
The Macfax app generates a per-device key inside the Secure Enclave on Apple Silicon, signs the diagnostic payload with it, and the fingerprint is published on every report (Basic and Premium). The same Mac always produces the same fingerprint; another Mac can't replay it. On a Premium report, the buyer's app re-derives the fingerprint on the Mac they received and the server confirms the match. That's the case-swap defense; the in-app re-verification flow is what Premium unlocks.
Hardware fingerprint hash
We hash the chassis serial, logic-board serial, and model identifier together. On a logic-board swap (a real Mac Studio attack vector), the chassis and logic-board serials disagree, and the hash changes. The report records the hash; mismatch is detectable.
Dated, not expiring
The report page shows a prominent issue date. Buyers judge freshness themselves, the way they would for a home inspection report. Re-running the diagnostic on the same Mac is free, always, so sellers can refresh a lingering listing without paying again.
A doorstep check for paranoid buyers.
The report page is the value most buyers need before they pay. For high-value or cross-border transactions, a buyer can re-derive the device-key fingerprint on the Mac they actually received and match it against the report. This catches case-swap fraud at the doorstep. It's optional, anonymous, and free.
Every report URL has a .json twin.
Append .json to any report URL to get the structured payload, useful for programmatic verification by escrow agents, marketplaces, or third-party tools. As buyers increasingly shop with AI agents, that machine-readable twin lets an agent find and verify your report automatically, widening the pool of buyers your proof can reach.
$ curl -s https://macfax.com/r/k7m4q9xa.json
{
"id": "k7m4q9xa",
"model_name": "Mac Studio (2025)",
"chip": "Apple M3 Ultra",
"memory_gb": 512,
"storage_gb": 8000,
"hardware_verified": true,
"activation_lock": false,
"mdm_enrolled": false,
"issued_at": "2026-05-04T14:22:00Z",
"signing_key_id": "ec:48:7a:91:2f:b3:6d:c0:...",
"verification_chain": [ ... ]
}Where Macfax fits next to a PDF report or an Apple Coverage Check.
PDFs and screenshots are unbound from the device and trivially editable. Apple's Coverage Check tells you whether a serial is real and what warranty it has, but says nothing about whether the Mac in front of the buyer is the same Mac the serial belongs to. Each comparison lays out the gap and shows where Macfax sits.
Ready to verify your Mac?
Free Basic report in under a minute, plus an optional Premium upgrade when you need hardware health, burn-in, or buyer re-verification. No account, no subscription, money-back guarantee.