AI Attestations
Eight endpoints for signing AI inputs and outputs into immutable attestations, verifying hashes, and serving public proof records and tenant signing keys.
/ai/attestationsCreate AI attestationSubmits the raw AI input and output text. Invoance computes SHA-256 hashes, signs the canonical payload with Ed25519 using your tenant key, and writes an immutable attestation record. Optionally pass trace_id to attach the attestation to an open trace. Duplicate content returns the existing attestation with status 'duplicate'.
POST /ai/attestations
Authorization: Bearer invoance_live_xxx
Idempotency-Key: <uuid>
Content-Type: application/json
{
"type": "output",
"payload": {
"input": "What is the company refund policy?",
"output": "Our refund policy allows returns within 30 days..."
},
"context": {
"model_provider": "openai",
"model_name": "gpt-4.1",
"model_version": "2026-01-01"
},
"subject": {
"user_id": "user_7b1c",
"session_id": "sess_4f9a"
},
"trace_id": "9549c332-…" // optional, attach to a trace
}
/ai/attestationsList attestationsReturns a paginated list of attestation records. Supports filtering by date range, attestation type, and model provider. Maximum 500 results per page, cached for 30 seconds.
GET /ai/attestations?page=1&limit=50&attestation_type=output&model_provider=openai
Authorization: Bearer invoance_live_xxx
/ai/attestations/:attestation_idRetrieve AI attestationRetrieves an immutable AI attestation record including cryptographic proof metadata, the signed payload, and Ed25519 signature. Read-only. Requires the read scope.
GET /ai/attestations/9549c332-a52b-…
Authorization: Bearer invoance_live_xxx
/ai/attestations/:attestation_id/rawRetrieve raw canonical payloadReturns the original canonical JSON payload that was hashed and signed at ingestion time. This is the exact content stored in object storage. Cached server-side for 5 minutes. Useful for independent hash verification.
GET /ai/attestations/9549c332-a52b-…/raw
Authorization: Bearer invoance_live_xxx
/ai/attestations/:attestation_id/verifyVerify attestation hashCompares a submitted SHA-256 hash against the anchored attestation hashes (input_hash, output_hash, payload_hash). Returns whether any hash matches and which field matched.
POST /ai/attestations/9549c332-a52b-…/verify
Authorization: Bearer invoance_live_xxx
Content-Type: application/json
{
"content_hash": "8c74176675eed4e2ff88bc0182af…"
}
/proof/ai/:attestation_idPublic proof recordPublic, no authentication required. Returns the attestation record and the issuing organization's identity, the same data backing the hosted proof page, so auditors can inspect an attestation without an Invoance account. The public_key is served from the tenant's write-once registered signing key, not from the attestation row. IP rate limited to 2 requests/second and 10 requests/minute. Returns 404 ai_attestation_not_found if the attestation does not exist.
GET /proof/ai/9549c332-a52b-…
Content-Type: application/json
/proof/ai/:attestation_id/verifyPublic verify (hash + signature)Public, no authentication and no quota. Compares a submitted SHA-256 hash (64 hex characters, case-insensitive) against the anchored payload_hash, input_hash, and output_hash, and additionally verifies the Ed25519 signature over the signed payload against the tenant's registered public key. IP rate limited to 2 requests/second and 10 requests/minute. Returns 400 invalid_hash for a malformed hash, 404 ai_attestation_not_found if the attestation does not exist.
POST /proof/ai/9549c332-a52b-…/verify
Content-Type: application/json
{
"content_hash": "8c74176675eed4e2ff88bc0182af…"
}
/keys/:domainPublic tenant signing keyPublic, no authentication required. Resolves a verified organization domain to its Ed25519 signing public key for independent signature verification. Served at the API root (https://api.invoance.com/keys/{domain}), not under /v1. The public_key is base64url-encoded without padding, a different encoding from the hex used on the proof endpoints. IP rate limited to 5 requests/second and 200 requests/minute. All failures return 404 with a disambiguating error code: domain_not_found, domain_not_verified, or keys_not_yet_provisioned.
GET https://api.invoance.com/keys/acme.com
Content-Type: application/json