Skip to content

API REFERENCE

Hashproof v1 HTTP API

Endpoints below are grouped by resource. For full request and response schemas plus a try-it-now console, open the interactive Swagger UI.

Auth

The API supports two auth modes:

  • API key. Pass x-api-key or Authorization: Bearer hpsk_…. Used by SDKs and the CLI.
  • Supabase session JWT. Pass Authorization: Bearer <jwt>. Used by the dashboard. Routes marked API key or session accept either; the API resolves the user's managed signing key on the session path. Routes marked Session (API keys, stats) accept only the dashboard session JWT.

Errors

Errors are JSON with a stable shape:

{
  "error":      "human-readable message",
  "code":       "STABLE_ERROR_CODE",
  "statusCode": 400
}

Match on code, not the message. Codes are stable across versions; messages may improve.

Rate limits

Free tier: 60 requests / minute. Growth: 300 / min. Scale: 1,000 / min. Enterprise: 5,000 / min. Limits are keyed on x-api-key (or remote IP for unauthenticated routes). 429 responses include a Retry-After header (seconds) and an x-ratelimit-limit header with your applicable limit.

Verification and batch endpoints run real parsing and trust evaluation per request, so they carry their own per-route ceilings below the tier rate. Each ceiling applies per caller per route; all other routes keep the full tier rate.

EndpointFree / anonymousGrowthScaleEnterprise
POST /v1/verify10 / min60 / min200 / min1,000 / min
POST /v1/verify/forensic10 / min60 / min200 / min1,000 / min
POST /v1/batch/* (each route)10 / min30 / min100 / min300 / min

Manifests

Store, retrieve, and list C2PA manifests.

  • POST/v1/manifestsAPI key or session

    Upload a file and store its C2PA manifest

  • GET/v1/manifestsAPI key or session

    List manifests for the calling key (paginated)

  • GET/v1/manifests/:idAPI key or session

    Get a manifest by ID

  • GET/v1/manifests/:id/rawAPI key or session

    Download the raw CBOR-encoded manifest

  • GET/v1/manifests/:id/proofAPI key or session

    Get the Merkle inclusion proof

  • GET/v1/manifests/cid/:cidAPI key or session

    Lookup by IPFS CID

Signing

Managed C2PA signing (ES256) with an additive ML-DSA-65 assertion (a labeled simulation on runtimes without ML-DSA support).

  • POST/v1/signAPI key or session

    Sign a file and store the manifest. API-key callers need the sign scope on their key (default scopes lack it: 403); session callers use their managed signing key.

Verify

Public verification plus private (beta) and forensic variants.

  • POST/v1/verifyPublic

    Verify a file (embedded → hard → soft)

  • POST/v1/verify/privateAPI key

    Selective disclosure with a simulated ZK proof (beta)

  • POST/v1/verify/forensicAPI key or session

    Forensic verification with EXIF + manipulation signals

Resolve

Soft-binding lookups for re-encoded content.

  • POST/v1/resolveAPI key

    Multipart file upload OR JSON soft_binding

  • GET/v1/resolveAPI key

    Pre-computed fingerprint lookup

  • POST/v1/fingerprintAPI key

    Compute a perceptual fingerprint without resolving

Webhooks

Subscribe to provenance events. HMAC-SHA256 signed deliveries with retry.

  • POST/v1/webhooksAPI key or session

    Register a webhook endpoint

  • GET/v1/webhooksAPI key or session

    List active subscriptions

  • GET/v1/webhooks/:idAPI key or session

    Get a subscription detail

  • PATCH/v1/webhooks/:idAPI key or session

    Update url, events, or active state

  • DELETE/v1/webhooks/:idAPI key or session

    Soft-delete (deactivate)

  • GET/v1/webhooks/:id/deliveriesAPI key or session

    Paginated delivery log

  • POST/v1/webhooks/:id/deliveries/:deliveryId/retryAPI key or session

    Re-enqueue a failed delivery

Compliance

EU AI Act Article 50 reports.

  • POST/v1/compliance/reportsAPI key or session

    Generate and persist a report

  • GET/v1/compliance/reportsAPI key or session

    List reports

  • GET/v1/compliance/reports/:idAPI key or session

    Get full detail

  • DELETE/v1/compliance/reports/:idAPI key or session

    Delete a report

Billing

Stripe-backed subscription management.

  • GET/v1/billing/subscriptionAPI key or session

    Current tier, limits, and period

  • POST/v1/billing/checkout-sessionAPI key or session

    Start a Stripe Checkout flow

  • POST/v1/billing/portal-sessionAPI key or session

    Open the Stripe Customer Portal

  • POST/v1/billing/webhookPublic

    Stripe webhook receiver (no auth)

Account

  • GET/v1/api-keysSession

    List API keys

  • POST/v1/api-keysSession

    Create an API key

  • DELETE/v1/api-keys/:idSession

    Revoke an API key

  • GET/v1/usageAPI key or session

    Current-period usage metrics

  • GET/v1/statsSession

    Dashboard summary stats

  • GET/healthPublic

    Health probe

Try it now

Run the public verify endpoint in your browser, no key needed, on the API playground. For every endpoint with your own API key, the Swagger UI is generated from the live Fastify route schemas; the curated OpenAPI spec at /docs/openapi.json is the documented contract.

Open Swagger UI