COMPLIANCE REPORTING
Hashproof builds EU AI Act Article 50 reports directly from your stored manifests. Per-manifest findings, six summary counters, and a persisted report history, all through one synchronous endpoint: POST /v1/compliance/reports.
Every finding cites the manifest it came from by ID. You can fetch the cited manifest through the API while it exists.
Each stored manifest is checked for the Article 50 §1 disclosure pattern: content carrying an AI-generation assertion (c2pa.ai_generative or c2pa.ai_training) must also carry a c2pa.actions disclosure. Manifests missing the disclosure are flagged non-compliant.
Every report carries six counters: total assets, assets with provenance, compliance percentage, AI-generated count, AI-disclosed count, and certificate issues. The list endpoint returns the same counters per report, so you can track posture across report runs.
The details array lists every manifest with its title, its specific issues (disclosure gaps, certificates that could not be validated, missing content binding), and a status of compliant, non_compliant, or needs_review.
Each generated report is stored with a stable ID and timestamp. List earlier reports, fetch any report in full by ID, or delete reports you no longer need. The report JSON stays available for audit folders.
One synchronous request builds the report. There is no export pipeline and no callbacks; the response body is the report.
01
Send an optional reportType (default eu-ai-act, the one supported type today). The report covers every manifest stored under your API keys.
02
Hashproof walks every manifest stored under your keys and checks AI-generation disclosure, certificate validation status, and content binding.
03
Each manifest gets a detail row with its specific issues and a compliance status. The six summary counters are computed across the corpus.
04
The full report comes back synchronously in the 201 response and is stored. Fetch it again any time at GET /v1/compliance/reports/:id.
Reports cover every manifest stored under your API keys and return synchronously. Send an empty JSON object or set reportType; it defaults to eu-ai-act.
curl -X POST https://api.hashproof.ai/v1/compliance/reports \
-H "x-api-key: $HASHPROOF_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "reportType": "eu-ai-act" }'
# => 201 Created
# {
# "id": "550e8400-e29b-41d4-a716-446655440000",
# "reportType": "eu-ai-act",
# "generatedAt": "2026-06-10T12:00:00.000Z",
# "summary": {
# "totalAssets": 150,
# "assetsWithProvenance": 147,
# "compliancePercentage": 94,
# "aiGeneratedCount": 30,
# "aiDisclosedCount": 28,
# "certificateIssues": 3
# },
# "details": [
# {
# "manifestId": "9b2f1c4e-7a31-4f0b-8a6e-2d5c9e8f1a07",
# "assetTitle": "AI Generated Banner",
# "issues": ["AI-generated content lacks action disclosure assertion (Article 50 §1)"],
# "status": "non_compliant"
# }
# ]
# }Compliance reports are downstream of the verb triple. What you store, sign, and verify determines what a report can say.
Reports are built from the manifests you store. Issue and store C2PA manifests through one API call with managed signing.
Check any asset before you rely on it: one call returns provenance, validation detail, and trust-list status.
Registrars sync manifests across organizations through the federation API.
Generate a report against your stored corpus and see where you stand today.