Skip to content

CRYPTOGRAPHIC PROOF

Confirm authenticity in one call.

Upload any asset to the verify endpoint. Hashproof returns C2PA chain validation, trust-list match, manifest lineage, and a structured trust-status field ready to render. Endpoint: POST /v1/verify.

What you get back

Four guarantees on every verify response. Signature, trust, lineage, and (when you ask for it) forensic-grade detail.

Signature + chain validation

Hashproof validates every signature in the C2PA manifest, including ingredient manifests up the lineage. Hybrid Ed25519 + ML-DSA-65 signatures are accepted; classical-only manifests still verify against the relevant primitive.

Trust-list matching

Each signature is matched against the configured issuer trust list. Hashproof ships with the C2PA trust list by default; per-tenant policies layer on top to allow or deny specific issuers.

Lineage DAG response

The response includes the full provenance graph: ingredients, parent manifests, derivation actions. Render it directly, or walk it programmatically for audit trails.

Forensic mode

For insurance and legal work, switch on forensic mode to receive per-edge confidence scores, per-assertion validation status, and a structured trust-status field tuned for human review.

How a verification happens

One request, four phases. Total path runs under 300 ms for typical assets even with full ingredient-graph traversal.

  1. 01

    POST a binary

    Send the asset (signed or unsigned, transformed or pristine) to /v1/verify. No assertions or auxiliary data required.

  2. 02

    Server validates the signature chain

    The C2PA manifest is parsed; signatures and ingredient signatures are validated; the lineage DAG is reconstructed.

  3. 03

    Trust-list matching

    Issuer certificates are matched against the configured trust list. Per-tenant policy decides what counts as known versus unknown.

  4. 04

    Structured response

    Response carries a top-level trust-status (known | self-asserted | unknown | invalid), the validated manifest, and the lineage graph.

Minimal request

Verification is the public verb. The /v1/verify endpoint accepts anonymous traffic on the Free tier and is the basis of the public viewer at /v/[hash].

curl -X POST https://api.hashproof.ai/v1/verify \
  -H "x-api-key: $HASHPROOF_API_KEY" \
  -F "file=@/path/to/image.jpg"

# => {
#   "valid": true,
#   "trust": "known",
#   "manifest": {
#     "cid": "bafkrei...",
#     "issuer": "Hashproof Managed",
#     "algorithm": "ed25519+ml-dsa-65"
#   },
#   "lineage": [
#     { "type": "parent", "manifestId": "01JS7Y..." },
#     { "type": "ingredient", "manifestId": "01JS7X..." }
#   ]
# }

Related capabilities

Verification is the third verb. Sign and resolve set up the artifact; verify is what makes the chain trustworthy.

Sign

Verification only matters if there is a signature to verify. Issue C2PA manifests with managed keys, hybrid signatures, and Merkle anchoring.

Resolve

Find the manifest after re-encodes and crops, then verify it. pHash-based resolution for assets that have been transformed in transit.

Compliance reports

EU AI Act Article 50 disclosures pull directly from verified manifests. Auditor-ready PDF + JSON.

Verify your first asset in 60 seconds.

Free tier includes 10,000 verifications per month. Public viewer URL visits do not count against your quota.