Skip to content

CRYPTOGRAPHIC PROOF

Confirm authenticity in one call.

Upload any asset to the verify endpoint. Hashproof returns C2PA chain validation, trust-list match, and a structured trust-status field ready to render. Endpoint: POST /v1/verify.

What you get back

Four properties of the verify surface. Signature, trust, lineage via the manifests API, and (when you ask for it) forensic-grade detail.

Manifest validation

Hashproof validates embedded C2PA manifests at parse time and reports a structured validation result. Hybrid ES256 + ML-DSA-65 manifests are accepted; the ML-DSA assertion is verified when it is a real signature.

Trust-list matching

Embedded manifest signers are matched against the configured issuer trust list at parse time. Hashproof ships with the C2PA trust list by default.

Lineage DAG

The manifests API exposes the full provenance graph: ingredients, parent manifests, derivation actions, via GET /v1/manifests/:id/lineage. Render it directly, or walk it programmatically for audit trails.

Forensic mode

For insurance and legal work, switch on forensic mode to receive manipulation signals, EXIF analysis, a confidence score, and a risk level tuned for human review.

How a verification happens

One request, four phases.

  1. 01

    POST a binary

    Send the asset (signed or unsigned, transformed or pristine) to /v1/verify. No assertions or auxiliary data required.

  2. 02

    Server validates the signature chain

    The C2PA manifest is parsed and validated.

  3. 03

    Trust-list matching

    The signer is matched against the configured trust list.

  4. 04

    Structured response

    Response carries a top-level trustStatus (trusted | untrusted | unknown), the validated manifest, and the validation detail.

Minimal request

Verification is the public verb. The /v1/verify endpoint accepts anonymous traffic and backs the public verify playground at /playground.

curl -X POST https://api.hashproof.ai/v1/verify \
  -F "file=@/path/to/image.jpg"

# => {
#   "hasProvenance": true,
#   "trustStatus": "trusted",
#   "source": "embedded",
#   "manifest": {
#     "signatureInfo": { "algorithm": "ES256", ... }
#   },
#   "validation": { ... }
# }

Related capabilities

Verification is the third verb. Sign and resolve set up the artifact; verify is what makes the chain trustworthy.

Sign

Verification only matters if there is a signature to verify. Issue C2PA manifests with managed keys, hybrid signatures, and Merkle batch proofs.

Resolve

Find the manifest after re-encodes and crops, then verify it. pHash-based resolution for assets that have been transformed in transit.

Compliance reports

EU AI Act Article 50 reports built from your stored manifests. Certificates that could not be validated are flagged per manifest.

Verify your first asset in 60 seconds.

Free tier includes 10,000 verifications per month. Visits to the public verify playground at /playground do not count against your quota.