Developer API

Verification infrastructure for documents — via API.

Create issuer-signed verification records, embed a verification link or QR into your document, and let any third party verify provenance and integrity — without uploading or storing the file itself.

Quickstart View endpoints Request pilot

Designed for open workflows. Authena is built for documents that leave closed systems and must be verified by third parties.

Quickstart

From generated document to public verification.

The integration pattern is simple: your system generates a document, computes its fingerprint, signs a record, stores it via Authena, and embeds a verification URL or QR for third parties.

1) Generate document

Create the final PDF/document in your ERP, DMS, portal, or app.

2) Create verification record

Sign the canonical payload and store payload + signature + hash via Authena.

3) Let others verify

Third parties verify by link (provenance) or by file check (integrity).

// Conceptual flow
document -> sha256(file bytes)
         -> canonicalize(record payload)
         -> issuer signs payload digest
         -> POST record to Authena
         -> receive verify_url / record_id
         -> embed verify_url / QR into PDF

Integration pattern

Authena does not replace your document system. It adds a verification layer on top.

API flow diagram: generate document, sign hash via API, verify by link or file

Core API capabilities

Create verification records

Store issuer-signed records for generated documents and receive a public verification URL.

Verify provenance

Check whether a record exists, who issued it, when it was issued, and whether the signature is valid.

Verify integrity

Confirm that a received file matches the original signed fingerprint (hash comparison).

Current PoC endpoints

Internally, the current prototype uses the following routes. A production API would likely expose versioned paths such as /v1/records and /v1/verify.

Create verification record

Stores the issuer-signed record payload, signature, document fingerprint, and verification metadata.

POST /api/manifest

Verify provenance

Verifies that the record exists and that the issuer signature over the stored payload is valid.

GET /api/verify-provenance?id=RECORD_UUID

Verify integrity

Compares the uploaded file’s hash with the stored hash and verifies the issuer signature.

POST /api/verify-integrity

Example request

This example creates a verification record for a document whose fingerprint was already computed locally.

curl -X POST https://www.authena-media.com/api/manifest \
  -H "Content-Type: application/json" \
  -d '{
    "record": {
      "ver": 1,
      "typ": "authena.record",
      "issued_at": "2026-03-05T12:34:56.000Z",
      "issuer": {
        "id": "ISSUER_UUID",
        "name": "Issuer Name",
        "kid": "issuer-key-id"
      },
      "document": {
        "hash_alg": "sha256",
        "hash_b64": "BASE64_SHA256_DIGEST",
        "name": "invoice.pdf",
        "mime": "application/pdf",
        "size": 12345
      }
    },
    "payload_b64": "BASE64_CANONICAL_JSON",
    "signature_b64": "BASE64_ISSUER_SIGNATURE",
    "creator_public_key_b64": "BASE64_ED25519_PUBLIC_KEY",
    "issuer_kid": "issuer-key-id",
    "issuer_name": "Issuer Name",
    "status": "active"
  }'

Example response:

{
  "ok": true,
  "id": "RECORD_UUID",
  "verify_url": "https://www.authena-media.com/verify/RECORD_UUID"
}

Security model

Issuer-signed records

The issuer signs the canonical payload. Authena stores the payload, signature, and document fingerprint.

Public verification

Third parties can verify provenance publicly by link and optionally confirm integrity by file hash.

No file storage

Files are never stored by Authena. Only fingerprints (hashes), signatures, and metadata are stored.

Why this matters: Authena is not just a signing tool. It provides independent third-party verification when documents leave closed systems.

PoC today vs. production later

Current PoC scope

Public verification, issuer-signed records, no file storage, pilot integrations, unversioned internal routes.

Planned production features

API keys for record creation, issuer key registry, rate limiting, versioned endpoints, rotation support via kid.

Public verification stays public

The core verifier experience should remain accessible without accounts or private portals.

Pilot integrations

Authena is currently best suited for pilot integrations with platforms that generate and share external documents.

Request pilot access Try verification