AttestLayer

FES-1.0-preview

AttestLayer Evidence API

A small record-only API surface for evidence intake, kit metadata, receipt retrieval, JWKS discovery, and verification workflows.

FES-1.0-previewRecord-onlyNo scanningNo credentialsJWKSEd25519 receipts

The API supports evidence handling and verification metadata. It does not certify compliance, guarantee security, or replace audit work.

AttestLayer Evidence API in 60 Seconds

Open MP4

Quickstart

1. Create intake job

POST /v1/intake/jobs

2. Check job status

GET /v1/intake/jobs/{job_id}

3. Retrieve manifest

GET /v1/kits/{kit_id}/manifest

4. Retrieve receipt

GET /v1/kits/{kit_id}/receipt

5. Retrieve JWKS

GET /.well-known/jwks.json

6. Verify offline

python deliverables/offline-verifier/verify.py sample-kit --json

Public endpoints only

  • GET /.well-known/jwks.json
  • POST /v1/intake/jobs
  • GET /v1/intake/jobs/{job_id}
  • GET /v1/kits/{kit_id}/manifest
  • GET /v1/kits/{kit_id}/receipt
  • GET /v1/kits/{kit_id}/download
  • POST /v1/verify/receipt

Fail-closed verification

Verification must fail closed. Missing files, malformed receipts, mismatched hashes, missing JWKS keys, wrong key IDs, or invalid signatures must return FAIL. Do not use partial PASS language.

The AttestLayer trust model

AttestLayer’s trust model is intentionally narrow. It records what was submitted, what was accepted into scope, what was issued, and how the issued kit can be checked.

The model uses

  • SHA-256 artifact hashing
  • manifest-based evidence inventory
  • canonical receipt hashing
  • Ed25519 receipt signatures
  • JWKS public-key discovery
  • offline verification
  • fail-closed verification behavior

What it proves

  • files match the manifest
  • manifest matches the receipt
  • receipt key ID matches a public key
  • receipt signature verifies
  • the kit has not been modified since issuance

What it does not prove

  • company compliance status
  • company security status
  • controls are operating effectively
  • a buyer, auditor, insurer, bank, regulator, or PSP has accepted the packet
  • the evidence content is legally sufficient

Integrity and issuance evidence only. Not audit, certification, or compliance guarantee.

Changelog

2026-05-05 — FES-1.0-preview public contract, required schemas, OpenAPI snapshot, and v2 reviewer assets published.