Embed SEP-58 metadata so anyone can verify your source code matches what's deployed on Stellar.
SEP-58 links your deployed contract to its exact source code on GitHub — source repo, commit hash, and the Docker image used to build it. CSV Verify reads this metadata to cryptographically verify your contract.
Push your contract source to a public GitHub repository.
Embed source_repo and source_rev directly into the WASM binary.
Publish your contract to Stellar testnet.
Submit the Contract ID and let CSV Verify reproduce the build.
Drop this workflow into .github/workflows/ to embed metadata on every push to main.
name: Build & Verify Soroban Contract
on:
push:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: stellar/stellar-cli@v27.0.0
- run: rustup target add wasm32v1-none
- name: Build with SEP-58 metadata
run: |
stellar contract build \
--meta "source_repo=${{ github.server_url }}/${{ github.repository }}" \
--meta "source_rev=${{ github.sha }}"Testnet only for now — mainnet is coming soon. All verifications run against testnet automatically.
Already-verified contracts return instantly from cache. A first-time rebuild takes about 2–6 minutes while CSV Verify clones the repo and compiles with the official Stellar CLI Docker image.
CSV Verify only reads public GitHub repos. No source code or private keys are stored.
Use a branch name only if you must — but exact SHA guarantees full reproducibility. Branches move.
The custom WASM section where SEP-58 metadata lives. Generated automatically with --meta flags.
Yes. Any contract with SEP-58 can be verified by anyone — that's the essence of the standard.
No SEP-58 metadata found. Follow the tutorial to implement it.
We help Soroban developers make their contracts verifiable. Reach out directly.