Proofs And Certificates

Proofs are .der files produced by the wipe agent. The backend stores the raw proof object before processing and uses asynchronous workers to validate, decrypt, sign, certify, and optionally anchor the result.

Submission Routes

RouteAuthUse
POST /api/v1/proofsCLIENT_ADMIN, CLIENT_TECH, or generic proofs:write API keySubmit one multipart .der proof.
POST /api/v1/proofs/bulkCLIENT_ADMIN, CLIENT_TECH, or generic proofs:write API keySubmit up to 100 files or a ZIP archive, max 500 MB.
POST /ingest/v1/proofsEnrolled-agent API key with proofs:writeSubmit one raw .der body from an enrolled agent.
GET /ingest/v1/proofs/{id}Enrolled-agent API key with proofs:readPoll the status of an agent-owned proof.

Protected writes require Idempotency-Key. The unit proof size limit is 5 MB. The local rate limits are per authenticated principal or agent key: 100 unit submissions per hour and 500 batch submissions per hour.

Proof Statuses

StatusMeaningOperator action
RECEIVEDStored and queued.Watch queue depth if it persists.
VALIDATINGWorker is validating proof envelope, agent trust, schema, and version.Inspect worker logs if stalled.
GENERATING_PDFCertificate PDF is being rendered.Check object storage and signer if failures appear.
SIGNINGHMAC/PAdES/receipt signing is running.Check signer readiness and key IDs.
ANCHORINGAnchor worker is processing chain metadata.Check chain worker and blockchain configuration.
CERTIFIEDCertificate was produced with anchor data.No action.
CERTIFIED_NO_ANCHORCertificate was produced without active anchor data.Accept only when product policy allows.
AWAITING_LICENSEProof is valid but quota/licensing is unavailable.Import/allocate licenses, then retry.
FAILEDRecoverable dependency or processing failure.Fix root cause, then retry.
REJECTEDTerminal validation failure.Do not replay unless validation policy was wrong.
ABANDONEDOperator abandoned a failed proof.Keep audit context.

Lifecycle Actions

ActionRouteRole
List proofsGET /api/v1/proofsCLIENT_ADMIN, CLIENT_TECH, AUDITOR
Read proofGET /api/v1/proofs/{id}CLIENT_ADMIN, CLIENT_TECH, AUDITOR, or proofs:read where accepted
Read statusGET /api/v1/proofs/{id}/statusCLIENT_ADMIN, CLIENT_TECH, AUDITOR, or proofs:read where accepted
RetryPOST /api/v1/proofs/{id}/retryCLIENT_ADMIN
Full restartPOST /api/v1/proofs/{id}/full-restartCLIENT_ADMIN
AbandonPOST /api/v1/proofs/{id}/abandonCLIENT_ADMIN

retry, full-restart, and abandon require recent MFA when SENSITIVE_ACTION_MFA_MAX_AGE is enabled.

Certificate Routes

ActionRouteRole
List certificatesGET /api/v1/certificatesCLIENT_ADMIN, CLIENT_TECH, AUDITOR
Read metadataGET /api/v1/certificates/{id}CLIENT_ADMIN, CLIENT_TECH, AUDITOR
Download PDFGET /api/v1/certificates/{id}/pdfCLIENT_ADMIN, CLIENT_TECH, AUDITOR
Download canonical JSONGET /api/v1/certificates/{id}/canonicalCLIENT_ADMIN, CLIENT_TECH, AUDITOR
RevokePOST /api/v1/certificates/{id}/revokeCLIENT_ADMIN

Certificate statuses are CERTIFIED, CERTIFIED_NO_ANCHOR, and REVOKED. Revocation requires an audit reason and recent MFA when configured.

Public Verification

Public verification is available through:

RouteInput
GET /verify or GET /api/v1/public/verifyQuery parameters.
POST /verify or POST /api/v1/public/verifyJSON body, query parameters, or both.

Supported identifiers are code, certificate_id, canonical_hash, and tx_hash. When more than one identifier is supplied, they must refer to the same certificate or the result is IDENTIFIER_MISMATCH.

Public responses never include tenant ID, organization ID, proof ID, internal storage keys, canonical JSON, HMAC value, or PDF object keys.

Operator Checks

SymptomFirst checks
Proofs remain RECEIVEDproofs.validated queue, proof worker health, DB connectivity.
Proofs become AWAITING_LICENSEActive grants, allocation scope, user/org quota, grant validity dates.
Proofs become FAILEDSigner, object storage, PAdES/TSA, malformed environment configuration.
Certificates are CERTIFIED_NO_ANCHORBLOCKCHAIN_ENABLED, chain registry, anchor worker, Hedera readiness.
Public verification returns invalid/tamperedPDF/canonical/HMAC mismatch, revoked certificate, chain lookup failure, wrong identifier.