InvoanceInvoance
Log inStart free
Developers
Search docs…⌘K
Getting started
OverviewConceptsAuthenticationCreate an API key
API reference
EndpointsErrors
Resources
EventsDocumentsAI AttestationsTraces
SDKs
PythonNode.jscURL
Verification
How it works
Support
API FAQ

How verification works

Every event anchored through Invoance produces a public, unauthenticated verification endpoint. Any third party, auditor, regulator, counterparty - can validate the integrity and origin of a record without contacting Invoance or accessing your systems.

Verification is cryptographic, not trust-based. It resolves against a SHA-256 hash and Ed25519 signature, not against a server assertion. Invoance cannot produce a valid signature for a record it did not anchor.

Why public verification matters

No authentication required

Verification endpoints are publicly accessible. Recipients do not need an Invoance account, API key, or any relationship with your organization.

Independent of Invoance

Verification can be performed offline using the public key, payload hash, and Ed25519 signature. You do not need to trust Invoance's response.

Tenant-bound signatures

Every proof is signed with a key bound to your verified domain. Verification confirms both the record integrity and the issuing organization.

Immutable after creation

Proof data cannot be altered after anchoring. Verification URLs remain resolvable and consistent for the lifetime of your retention period.

Verification methods

Invoance supports three levels of verification, from lightweight hash comparison to full cryptographic signature validation. Choose the level appropriate for your use case.

Hash verificationAPI + SDK

Compare a SHA-256 hash against the anchored record. Available for events, documents, and AI attestations. The simplest form, confirms content hasn't changed.

POST /v1/events/:event_id/verifyPOST /v1/document/:event_id/verifyPOST /v1/ai/attestations/:attestation_id/verify
client.events.verify() / client.documents.verify() / client.attestations.verify()
Payload verificationSDK only

Pass the raw payload directly, the SDK hashes it client-side and verifies against the anchored hash. No need to pre-compute the hash yourself. For attestations, the SDK also supports verifying by raw canonical JSON string.

client.attestations.verify_payload() / client.events.verify(payload={...})
Ed25519 signature verificationSDK only

The strongest form. Fetches the attestation, then verifies the Ed25519 signature entirely client-side using the public key. Proves no field has been tampered with, including the timestamp, hashes, and metadata. Zero trust in the server required.

client.attestations.verify_signature()

Raw payload retrieval

For independent verification, you can retrieve the exact canonical JSON that was hashed and signed at ingestion time. This is the source of truth for recomputing hashes offline.

GET/v1/ai/attestations/:attestation_id/raw

Returns the canonical JSON that was hashed and Ed25519-signed. Cached server-side for 5 minutes.

client.attestations.get_raw()
GET/v1/document/:event_id/original

Returns the original document file uploaded during anchoring. Stream directly for large files, cached for small ones.

client.documents.get_original()
Events do not have a separate raw endpoint, the full payload is returned inline in the GET response. Event verify also accepts a raw payload object directly, and the server canonicalizes and hashes it for you.

Public verification endpoints

These endpoints require no API key and are safe to share externally. They are the canonical reference for any third-party verification of an anchored record.

GEThttps://invoance.com/proof/event/{event_id}
Event Ledger proof

Verifies any anchored business event. Returns hash, signature, timestamp, tenant domain, and verification status.

GEThttps://invoance.com/proof/document/{event_id}
Document Anchoring proof

Verifies an anchored document's integrity. Upload the original file to confirm it matches the cryptographic fingerprint taken at submission time.

GEThttps://invoance.com/proof/ai/{attestation_id}
AI Attestation proof

Verifies an anchored AI output or decision. Includes model metadata, decision context, and cryptographic proof of the output at generation time.

Verification response

The proof endpoint returns everything needed to independently validate a record. No additional calls or trusted data sources are required.

GEThttps://invoance.com/proof/event/evt_4c8d2f
{
  "event_id":      "evt_4c8d2f",
  "status":        "verified",
  "payload_hash":  "9f3a...c21e",
  "signature":     "ed25519:7b1c...a4f9",
  "public_key":    "invoance:pk_tenant_7b1c",
  "tenant_domain": "acme.com",
  "anchored_at":   "2026-02-25T14:22:01Z",
  "event_type":    "invoice.approved",
  "verify_url":    "https://invoance.com/proof/event/evt_4c8d2f"
}

Manual offline verification

Verification can be performed entirely offline using standard cryptographic tools. This is the strongest form of verification - it does not require contacting Invoance at all.

1
Recompute the hash

Serialize the original event payload to its canonical form and compute SHA-256. The result must match payload_hash exactly.

echo -n '{"type":"invoice.approved","data":{...}}' | sha256sum
# → 9f3a...c21e  ✓ matches payload_hash
2
Verify the signature

Use the public key to verify the Ed25519 signature over the signed_payload. The signed_payload covers all fields including the timestamp.

# Using the SDK (recommended)
result = await client.attestations.verify_signature("att_id")
print(result.valid)        # True
print(result.signed_data)  # Full JSON that was signed

# Or using openssl manually:
openssl pkeyutl -verify -pubin -inkey pub.der \
  -keyform DER -in payload.bin -sigfile sig.bin
3
Confirm the public key

Every verified tenant has a unique signing key published at their domain. Fetch it to confirm the key used in step 2 belongs to the claimed organization.

GET https://api.invoance.com/keys/acme.com
# → {
#     "domain":     "acme.com",
#     "public_key": "t3kLmNpQr7wYzA...",
#     "algorithm":  "ed25519",
#     "key_id":     "invoance:pk_a4e2f819"
#   }
# → matches  ✓

Verification guarantees

Hash integrity

The SHA-256 hash binds the proof to the exact content submitted. Any alteration to the payload produces a different hash and invalidates the proof.

Signature authenticity

The Ed25519 signature proves the proof was issued by the stated tenant's key. It cannot be forged without access to the private signing key.

Timestamp integrity

The anchored_at timestamp is recorded at ingestion and is part of the signed payload. It cannot be backdated or altered.

Immutability

Proof records are append-only. Once created, the data returned by the verification endpoint cannot change.

No vendor dependency

Verification can be performed offline. The cryptographic proof does not depend on Invoance remaining online or trusted.

Persistent URLs

Verification URLs remain resolvable for the duration of your retention period, even if your subscription changes.

What verification cannot prove

Verification is a technical guarantee, not a legal or factual one. Understanding its limits is as important as understanding its guarantees.

Document truth

Invoance verifies that a payload was submitted and has not changed. It does not verify that the contents of the payload are accurate, legal, or genuine.

Human intent

Invoance records that an event occurred and was signed by a tenant key. It does not verify that a specific human authorized or intended the action.

Content without original

If the original payload was not retained, verification can confirm a hash but cannot reconstruct or display the original content.

Legal admissibility

Cryptographic proof is technical evidence. Whether it is admissible in a specific legal proceeding depends on jurisdiction and context. Consult qualified legal counsel.

Related

Endpoints

Full API reference including verify endpoints.

SDKs

verify_payload, verify_signature, and get_raw in Python, Node.js, and cURL.

Core concepts

How hashing, signing, and the ledger work together.

Invoance

Neutral digital proof infrastructure for business. Tamper-evident, independently verifiable records.

Subscribe to our newsletter

Products
Platform
How It Works
Developers
Verify
Resources
Help & Legal
Products
  • Event Ledger
  • Document Anchoring
  • AI Attestation
  • Traces
Platform
  • Why Invoance
  • For Compliance Teams
  • For Finance Teams
  • Pricing
How It Works
  • Overview
  • Event Ledger
  • Document Anchoring
  • AI Attestation
Developers
  • Overview
  • Endpoints
  • Authentication
  • Concepts
Verify
  • Verify Document
  • Verify AI Attestation
  • Verify Event
  • Verify Trace
Resources
  • All Resources
  • SOC 2 Guide
  • HIPAA Guide
  • ISO 27001 Guide
Help & Legal
  • Support
  • Status
  • Verification Help
  • FAQ

Invoance provides technical verification and proof infrastructure for digital records. Invoance does not issue legal, financial, or regulatory advice.

Records anchored through Invoance are cryptographically signed and tamper-evident by design. Invoance does not verify the accuracy, legality, or authenticity of document contents, only that a record existed in a specific form at a specific time. Verification links are publicly resolvable and do not require authentication. Invoance does not act as a custodian of funds, a legal authority, or a regulated financial entity. Use of Invoance does not constitute legal compliance. Consult qualified counsel for your specific obligations.

© 2025 – 2026 Invoance, Inc. All rights reserved.••