Hashproof v1 HTTP API

Auth

The API supports two auth modes:

• API key. Pass x-api-key or Authorization: Bearer hpsk_…. Used by SDKs and the CLI.
• Supabase session JWT. Pass Authorization: Bearer <jwt>. Used by the dashboard. Routes marked API key or session accept either; the API resolves the user's managed signing key on the session path.

Errors

Errors are JSON with a stable shape:

{
  "error":      "human-readable message",
  "code":       "STABLE_ERROR_CODE",
  "statusCode": 400
}

Match on code, not the message. Codes are stable across versions; messages may improve.

Rate limits

Free tier: 60 requests / minute. Growth: 300 / min. Scale: 1,000 / min. Enterprise: 5,000 / min. Limits are keyed on x-api-key (or remote IP for unauthenticated routes). 429 responses include the retryAfter field in seconds.

Manifests

Store, retrieve, and list C2PA manifests.

• POST/v1/manifestsAPI key or session

  Upload a file and store its C2PA manifest

• GET/v1/manifestsAPI key or session

  List manifests for the calling key (paginated)

• GET/v1/manifests/:idAPI key or session

  Get a manifest by ID

• GET/v1/manifests/:id/rawAPI key or session

  Download the raw CBOR-encoded manifest

• GET/v1/manifests/:id/proofAPI key

  Get the Merkle inclusion proof

• GET/v1/manifests/cid/:cidAPI key or session

  Lookup by IPFS CID

Signing

Managed C2PA signing with PQ-hybrid (ES256 + ML-DSA-65) on every tier.

• POST/v1/signAPI key or session

  Sign a file and store the manifest

Verify

Public verification + ZK and forensic variants.

• POST/v1/verifyPublic

  Verify a file (embedded → hard → soft)

• POST/v1/verify/privateAPI key

  ZK-proof variant (beta)

• POST/v1/verify/forensicAPI key

  Forensic verification with EXIF + manipulation signals

Resolve

Soft-binding lookups for re-encoded content.

• POST/v1/resolveAPI key

  Multipart file upload OR JSON soft_binding

• GET/v1/resolveAPI key

  Pre-computed fingerprint lookup

• POST/v1/fingerprintAPI key

  Compute a perceptual fingerprint without resolving

Webhooks

Subscribe to provenance events. HMAC-SHA256 signed deliveries with retry.

• POST/v1/webhooksAPI key or session

  Register a webhook endpoint

• GET/v1/webhooksAPI key or session

  List active subscriptions

• GET/v1/webhooks/:idAPI key or session

  Get a subscription detail

• PATCH/v1/webhooks/:idAPI key or session

  Update url, events, or active state

• DELETE/v1/webhooks/:idAPI key or session

  Soft-delete (deactivate)

• GET/v1/webhooks/:id/deliveriesAPI key or session

  Paginated delivery log

• POST/v1/webhooks/:id/deliveries/:deliveryId/retryAPI key or session

  Re-enqueue a failed delivery

Compliance

EU AI Act Article 50 reports.

• POST/v1/compliance/reportsAPI key or session

  Generate and persist a report

• GET/v1/compliance/reportsAPI key or session

  List reports

• GET/v1/compliance/reports/:idAPI key or session

  Get full detail

• DELETE/v1/compliance/reports/:idAPI key or session

  Delete a report

Billing

Stripe-backed subscription management.

• GET/v1/billing/subscriptionAPI key or session

  Current tier, limits, and period

• POST/v1/billing/checkout-sessionAPI key or session

  Start a Stripe Checkout flow

• POST/v1/billing/portal-sessionAPI key or session

  Open the Stripe Customer Portal

• POST/v1/billing/webhookPublic

  Stripe webhook receiver (no auth)

Account

• GET/v1/api-keysAPI key

  List API keys

• POST/v1/api-keysAPI key

  Create an API key

• DELETE/v1/api-keys/:idAPI key

  Revoke an API key

• GET/v1/usageAPI key or session

  Current-period usage metrics

• GET/v1/statsAPI key or session

  Dashboard summary stats

• GET/healthPublic

  Health probe