POST /v1/signup — public
Anonymous provisioning: no email, no form. Returns
tenant_id + api_key (shown exactly once — only its hash is stored)
and seeds the 1,000-receipt free grant. Per-network
rate-limited (429 on excess); verifying existing receipts is never
rate-limited.
POST /v1/record
Records one decision and produces its verifiable receipt — the
unit of value. Idempotent on your decision_id; metered only on success;
refuses with 402 before recording when credits are exhausted.
Body: tenant_id, decision_id, claims_used[],
outcome, model_route, optional allowed_scopes[] and
host (per-call publication override; the response always states
hosted). Returns alg, digest (lowercase hex SHA-384 of
the bundle bytes — the address IS the hash), and link when hosted.
DELETE /v1/hosted/{alg}/{digest}
Tenant-owned takedown: the address then answers 410
with an honest tombstone. Does not alter, revoke, or discredit the artifact's bytes —
holders of a copy can still verify offline.
GET /r/{alg}/{digest} — public, unauthenticated
The receipt page: the public projection of the named checks, the attests/does-NOT-attest boundary, and re-derivation instructions. Zero scripts, no tracking. The address grammar is permanent: a future hash algorithm is a new token under the same shape, never a v2 path.
GET /r/{alg}/{digest}/bundle — public, unauthenticated
The verifiable bundle bytes — the trust root. Recompute SHA-384 over them and you have recomputed the address.
The machine-readable spec (OpenAPI 3.1) ships with your onboarding; every path and description in it is required to match the live handlers in the same change that alters them.