Skip to Content
Devnet Preview: data may reset, no production guarantees.
API ReferenceGET /.well-known/authority-key

GET /api/v1/.well-known/authority-key

Returns the active Ed25519 public key metadata used to sign passports.

Use this key to verify passports returned by /sigil, /heartbeat, and /reissue-proof.

Auth: None (public)

Base URL: https://provenonce.io

Request

curl https://provenonce.io/api/v1/.well-known/authority-key

Response

{
  "schema_version": 1,
  "algorithm": "Ed25519",
  "key_id": "pvn-ed25519-3f5b2f8a1b7c9d10",
  "authority_public_key_hex": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
  "verification": {
    "proof_signature_field": "provenonce_signature",
    "verify_function": "verifyPassport"
  }
}

Response fields

FieldTypeDescription
schema_versionnumberPayload schema version
algorithmstringAlways Ed25519
key_idstringActive authority key identifier
authority_public_key_hexstring64-character hex-encoded Ed25519 public key

Offline passport verification

Passports are Ed25519 signatures over canonical JSON with deterministic key ordering. To verify a passport offline:

  1. Fetch the authority public key from this endpoint.
  2. Reconstruct canonical JSON in this exact key order:

format_version, agent_hash, agent_public_key, authority_key_id, identity_class, registered_at_beat, sigil_issued_at_beat, last_heartbeat_beat, lineage_chain_hash, issued_at, valid_until

  1. Verify provenonce_signature against that canonical JSON string.
  2. Reject if valid_until is in the past.

Node.js example

import { createPublicKey, verify } from 'node:crypto';
 
function canonicalPassportData(passport) {
  return JSON.stringify({
    format_version: passport.format_version,
    agent_hash: passport.agent_hash,
    agent_public_key: passport.agent_public_key,
    authority_key_id: passport.authority_key_id,
    identity_class: passport.identity_class,
    registered_at_beat: passport.registered_at_beat,
    sigil_issued_at_beat: passport.sigil_issued_at_beat,
    last_heartbeat_beat: passport.last_heartbeat_beat,
    lineage_chain_hash: passport.lineage_chain_hash,
    issued_at: passport.issued_at,
    valid_until: passport.valid_until,
  });
}
 
function verifyPassport(proof, authorityKeyHex) {
  if (Date.now() > proof.valid_until) return false;
 
  const canonical = canonicalPassportData(proof);
  const keyBuffer = Buffer.from(authorityKeyHex, 'hex');
  if (keyBuffer.length !== 32) return false;
 
  const publicKey = createPublicKey({
    key: Buffer.concat([
      Buffer.from('302a300506032b6570032100', 'hex'),
      keyBuffer,
    ]),
    format: 'der',
    type: 'spki',
  });
 
  const signature = Buffer.from(proof.provenonce_signature, 'hex');
  return verify(null, Buffer.from(canonical), publicKey, signature);
}
 
const authority = await fetch(
  'https://provenonce.io/api/v1/.well-known/authority-key'
).then(r => r.json());
 
const valid = verifyPassport(passport, authority.authority_public_key_hex);
console.log('Passport valid:', valid);

Caching

The active key can rotate. Cache with respect to endpoint cache headers and refresh periodically. For rotation-aware verification, use /api/v1/.well-known/authority-bundle.

Last updated on
GET /fees/summaryPartner Webhooks