Skip to main content
← Back to AI Provenance

Documentation

Sign AI outputs with cryptographic provenance. REST API, npm SDK, or MCP server — same underlying infrastructure.

Quickstart

  1. Sign up at certnode.io/sign-up. Free tier gives you 100 signings/month, no card required.
  2. Create an API key in the dashboard. Save it — you'll see it exactly once.
  3. Install the SDK and sign your first AI output.
terminal
npm install @certnode/sdk
sign.ts
import { CertNode } from '@certnode/sdk'
import Anthropic from '@anthropic-ai/sdk'

const claude = new Anthropic()
const cert = new CertNode({ apiKey: process.env.CERTNODE_API_KEY })

const response = await claude.messages.create({
  model: 'claude-opus-4-7',
  messages: [{ role: 'user', content: 'Write copy' }],
})

const signed = await cert.signAIOutput({
  output: response.content[0].text,
  model: 'claude-opus-4-7',
  provider: 'anthropic',
})

// Store signed.receiptId + signed.signature with your content.
// Verify later at certnode.io/verify/<receiptId>

npm SDK — @certnode/sdk

Node 18+, TypeScript types included, ESM + CJS builds.

Constructor

const cert = new CertNode({
  apiKey: 'cn_live_...',   // required
  baseUrl: '...',          // optional override
  timeoutMs: 15000,        // optional (default 15s)
})

Methods

  • cert.signAIOutput(input) — sign AI-generated text. Convenience wrapper for AI outputs specifically.
  • cert.signContent(input) — sign any content with explicit contentType ('ai_output' | 'image' | 'document' | 'json').
  • cert.verify(input) — verify a signature. Two modes: by receiptId (looks up stored receipt) or by signature + content (rehashes and verifies without DB lookup).

Full API reference with all types: npm package page.

MCP server — @certnode/mcp-sign

Model Context Protocol server for Claude Desktop, Cursor, Windsurf, Claude Code, or any MCP-compatible client. Adds signing + verification as tools the AI can invoke directly.

Claude Desktop config

~/Library/Application Support/Claude/claude_desktop_config.json
{
  "mcpServers": {
    "certnode": {
      "command": "npx",
      "args": ["-y", "@certnode/mcp-sign"],
      "env": {
        "CERTNODE_API_KEY": "cn_live_..."
      }
    }
  }
}

Tools exposed

  • sign_ai_output — sign AI-generated content. Returns verifiable receipt with three-layer timestamps.
  • verify_signature — verify a CertNode signature (free, no API key required).
  • get_receipt — fetch a stored receipt by ID.

REST API

Base: https://certnode.io/api/v1/provenance

POST /sign

Sign content. Auth: Authorization: Bearer cn_live_...

curl https://certnode.io/api/v1/provenance/sign \
  -H "Authorization: Bearer cn_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "content": "Generated text here",
    "contentType": "ai_output",
    "model": "claude-opus-4-7",
    "provider": "anthropic"
  }'

POST /verify

Public. No auth.

# Mode 1: by receipt ID
curl https://certnode.io/api/v1/provenance/verify \
  -H "Content-Type: application/json" \
  -d '{"receiptId": "uuid-here"}'

# Mode 2: by signature + content (re-hashes)
curl https://certnode.io/api/v1/provenance/verify \
  -H "Content-Type: application/json" \
  -d '{"signature": "...", "content": "original text"}'

Verification

Verification is free and public. Anyone can verify a CertNode signature without an account.

Three ways to verify:

  1. Hosted verify page: certnode.io/verify/[receiptId]
  2. SDK: cert.verify({ receiptId })
  3. REST: POST to /api/v1/provenance/verify

Each verification independently checks the JWS signature against our public JWKS at certnode.io/.well-known/jwks.json, then (if content is provided) re-hashes and compares.

Compliance

FRE 902(13)/(14)

CertNode signatures are designed for admissibility under Federal Rule of Evidence 902(13) (self-authenticating digital records) and 902(14) (self-authenticating digital evidence certified by a qualified process). The three-layer timestamp chain (CertNode + RFC 3161 TSA + Bitcoin anchor) provides independent witnesses that the content existed at the signed time.

Note: "designed for" does not equal "proven in court." No CertNode signature has yet been tested in litigation. The underlying standards (RFC 3161, C2PA COSE Sign1, Bitcoin OpenTimestamps) are well-established and admissible individually.

EU AI Act Article 50

Article 50 of the EU AI Act (Regulation (EU) 2024/1689) requires providers of AI systems that generate content to label outputs as machine-generated. Enforcement begins August 2026. CertNode signatures satisfy the cryptographic provenance requirement: every signed output includes model identifier, provider, and timestamp, independently verifiable by any regulator.

C2PA

For image content (contentType: 'image'), CertNode produces standards-compliant C2PA manifests with COSE Sign1 signatures embedded via JUMBF. Verifies in Adobe's Content Credentials viewer and other C2PA-compliant tools.

Questions?

Email contact@certnode.io. We respond within one business day.

Get API key