Developer docs (preview)

Authenticity
verification API

The Cyrify API exposes endpoints for signing media, verifying tamper-evident capture, working with device attestation signals, and retrieving proof objects describing digital provenance and chain of custody.

Authentication

All requests use Bearer token authentication over HTTPS. Store API keys in a secure secrets manager—never client-side.

auth-example.sh

curl https://api.cyrify.com/v1/evidence/verify \
  -H "Authorization: Bearer <api_key>" \
  -H "Content-Type: application/json" \
  -d '{ ... }'

Preview status

These endpoints are a preview / coming soon. They describe intended behavior but do not imply availability or SLAs. Production details will be provided before general access.

Core endpoints

POST /v1/evidence/sign

Record a new tamper-evident capture event. Submit hashes, optional metadata, and device attestation tokens. Returns a proof_id.

POST /v1/evidence/verify

Re-verify an artifact via the authenticity verification API. Recomputes hashes and signatures, evaluates digital provenance, returns structured decisions.

GET /v1/evidence/{proof_id}

Retrieve a proof object for audit, review, or logging. Encodes integrity, chain of custody, and anchoring state.

POST /v1/device/attest

Exchange platform-specific attestation tokens for normalized representations attached to tamper-evident capture events.

Sign evidence

request

{
  "media_sha256": "bb9e...4fd2",
  "mime_type": "image/jpeg",
  "capture_context": {
    "client_id": "claims-app",
    "captured_at": "2026-03-05T10:15:43Z"
  },
  "attestation_token": "eyJhbGci..."
}

response

{
  "proof_id": "prf_01hv2c9g4pwh9z2x6a",
  "status": "RECORDED",
  "integrity": {
    "sha256": "bb9e...4fd2",
    "signature": "MEUCIQD4xv..."
  }
}

Verify evidence

request

{
  "media_sha256": "bb9e...4fd2",
  "proof_id": "prf_01hv2c9g4pwh9z2x6a"
}

response

{
  "status": "VERIFIED",
  "attestation": {
    "present": true,
    "risk": "LOW"
  },
  "decision": {
    "summary": "Hash and signature match.",
    "limitations": [
      "Does not detect deepfakes."
    ]
  }
}

Rate limits (indicative)

Bucket	Limit	Notes
Evidence sign	100 req/min	Bursty during field ops
Evidence verify	200 req/min	Cacheable when stable
Device attest	60 req/min	Per device install

Illustrative only. Concrete limits will be published with any public API release.

Error format

error-response.json

{
  "error": {
    "code": "rate_limited",
    "message": "Too many requests.",
    "request_id": "req_01hv2d5qf9...",
    "details": {
      "retry_after_seconds": 30
    }
  }
}

Error codes describe technical and policy limits. Log error contexts alongside digital provenance data for audit.

Limitations and responsible integration

The Cyrify API can materially improve reasoning about content authenticity, digital provenance, and chain of custody. But it cannot guarantee that media fully reflects reality or intent.

Integrations should plan for human review, escalation paths, and jurisdiction-specific guidance—especially in insurance, legal evidence, or safety-critical reporting.

Authenticity verification API