Skip to main content
The CertNode API

Sign events. Verify them anywhere.

Logs say what happened. Receipts let someone else verify the record hasn’t changed — without trusting your database.

One API call turns a critical event — a transaction, a document, an agent action, an AI output — into a cryptographic receipt: an ES256 signature, independent RFC 3161 timestamps, and a Bitcoin anchor. The format is a published spec with conformance vectors, so anyone can check the record against it — no account, no call back to your systems. It is the same proof engine that powers every CertNode product.

ES256 + RFC 3161 + Bitcoin
three-layer receipt
Open spec + vectors
cn.receipt.v1, published
100 / month
free, no card
Start freeRead the spec

Sign once. Verify anywhere.

Send the event you want to be able to prove later. Get back a receipt anyone can re-check — via the public verify page, the CLI, or fully offline.

1 · Sign — cURL
curl -X POST https://certnode.io/api/v1/provenance/sign \
  -H "Authorization: Bearer cn_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "content": "{\"event\":\"payout.approved\",\"amount_usd\":4200,\"approved_by\":\"ops@example.com\"}",
    "contentType": "json"
  }'
Response
{
  "receiptId": "b3f1c2d4-5e6a-7b8c-9d0e-1f2a3b4c5d6e",
  "verifyUrl": "https://certnode.io/verify/provenance/b3f1c2d4-...",
  "signature": "eyJhbGciOiJFUzI1NiIs...",
  "contentHash": "9d8732aeabdd0ee34a946a3d28504054...",
  "signedAt": "2026-06-12T14:33:19Z",
  "timestamps": {
    "certnode": { "id": "..." },
    "rfc3161": "MIIC...",
    "bitcoin": { "status": "pending" }
  }
}
// full schema: certnode.io/docs/provenance/api-reference
2 · Verify — offline, via the @certnode/verify CLI
# Save the receipt JSON, then verify it anywhere — including
# fully offline against a pinned JWKS. No account, no API key.
npx @certnode/verify receipt.json \
  --content original.txt \
  --jwks jwks.json   # pin from certnode.io/.well-known/jwks.json

# exit code 0 only when every checked layer passes
Or use the SDKs
npm install @certnode/sdk      # sign + retrieve + search   (v2.2.0)
npm install @certnode/verify   # verify-only, ships the CLI (v3.3.0)

What the receipt gives you

Three independent layers, each answering a question a hostile party asks later.

WHO + WHAT

ES256 signature

A JWS over the content hash, verifiable against the published JWKS. Change one byte and verification fails — tamper-evident.

WHEN

RFC 3161 timestamps

Independent Time Stamp Authorities countersign the hash — sealed receipts carry tokens from two independent TSAs, neither of which is us.

EXISTED BY

Bitcoin anchor

Anchored via OpenTimestamps and verified against the Bitcoin block header (explorer-backed) — reported as block height + time.

Together: a record structured to the FRE 902(13)/(14) self-authenticating standard, with a public verification page per receipt and an offline verifier that needs neither.

Don’t take our word for it

Everything you need to verify a receipt — or build your own verifier — is published. These are live artifacts, not promises.

/spec/cn-receipt/v1

The receipt spec

cn.receipt.v1 — RFC 8785 canonicalization, ES256 JWS, pinned multi-TSA RFC 3161, header-verified Bitcoin anchoring. Enough to build an independent verifier.

/.well-known/conformance/v1/

Conformance vectors

SHA-256-pinned test vectors for every layer of the spec — including forged-token fixtures your verifier must reject.

/verify-offline.html

Offline verifier

A single HTML file. Save it locally and verify a receipt against a pinned JWKS — no account, no API, independent of our servers.

npm: @certnode/verify

Verify SDK + CLI

v3.3.0 — verify-only, no API key. Ships a CLI: npx @certnode/verify receipt.json. Exit 0 only when every checked layer passes.

/api/transparency/sth

Public transparency log

An RFC 6962-style log of receipts — append-only with non-equivocation. Signed tree heads anyone can poll; roots anchored via RFC 3161 and Bitcoin.

/.well-known/jwks.json

Published public keys

Pin the JWKS once and verify signatures with zero network calls — the offline path never touches certnode.io.

SDKs

  • @certnode/sdk — Node / TypeScript: sign, retrieve, search, trust score (v2.2.0)
  • @certnode/verify — verify-only SDK + CLI, no API key needed (v3.3.0)
  • certnode-verify — Python (built; not yet on PyPI)
  • @certnode/agent-sdk — sign AI-agent actions, scoped to a human authorization
  • MCP server — let an AI agent sign its own outputs

What the API does

  • sign — create a receipt for any content
  • retrieve / search — pull a receipt or query the registry
  • verify — re-check all three layers, in-browser, via API, or offline
  • export — receipts as CSV / JSON for audit
  • webhooks — events like receipt.signed and usage.cap_reached
Full API reference →Docs →

One engine, many ways to use it

The same sign + verify primitive, framed for the moment you need to prove.

Payment & dispute evidence

Seal the facts at checkout, defend them when a dispute hits — the engine behind Reflex and Vault.

Compliance audit trails

Records structured to FRE 902(13)/(14) for finance and compliance teams that get audited later.

Sign AI outputs

Prove an AI output existed, unaltered, at a moment in time — EU AI Act Article 50 disclosure trails.

Sign agent actions

A signed receipt for every action an AI agent takes, scoped to a human authorization.

Prove you made it first

Hash, sign, and anchor a work at creation — proof of priority for a later dispute.

Insurance evidence

Timestamped condition evidence sealed before a claim is ever filed.

Pay for what you sign

100 receipts every month, free, no card. Past that it is metered, billed monthly — the more you sign, the lower the rate.

$0.010
0 – 10K / mo
$0.007
10K – 100K / mo
$0.004
100K – 1M / mo
$0.002
1M+ / mo

Per signing, in arrears. Free tier is 100 signings / month.

Create your first receipt in a minute.

Sign up, grab a key, sign something, and watch anyone verify it.

Start freeHow the proof works