Getting started
Quickstart
Verify an asset, sign your own media, and recover provenance by content hash, in a few minutes. Examples assume your deployment is at https://app.signata.dev; swap in your own base URL.
1 · Get an API key
Open the dashboard, go to API keys, and create one. Keys carry scopes that gate what they can do:
verify:read call POST /api/v1/verify
sign:write call POST /api/v1/sign
provenance:read call GET /api/v1/provenance/{assetHash}
admin everything above + manage workspace resourcesSend the key in the x-signata-api-key header on every request. Treat it like a password and keep it server-side.
No key needed to try it
2 · Verify an asset
POST the raw asset bytes (not multipart form data) to /api/v1/verify. The response is the stable verification contract: the same shape the SDK and the badge return.
curl -sS https://app.signata.dev/api/v1/verify \
-H "x-signata-api-key: pk_live_xxx" \
-H "content-type: application/octet-stream" \
--data-binary @photo.jpgA verified asset comes back looking like this:
{
"api_version": "2026-01-01",
"verdict": "verified",
"verdict_label": "Verified provenance",
"summary": "A valid Content Credential is attached, its signature and hard binding check out, and the signer is trusted.",
"signer": { "name": "Adobe Photoshop", "trusted": true },
"binding": {
"algorithm": "sha256",
"matches": true,
"computed_hash": "b1946ac9...d8e0f3a2"
},
"signature": { "valid": true, "format": "c2pa" },
"ai": { "disclosure": "ai_edited", "generated": false, "edited": true },
"claim": {
"generator": "Adobe Photoshop 26.0 (C2PA)",
"actions": ["c2pa.created", "c2pa.color_adjustments", "c2pa.cropped"],
"assertions": ["c2pa.actions", "stds.exif", "stds.schema-org.CreativeWork"]
},
"recovered_via": "embedded",
"reasons": ["signature_valid", "binding_matches", "signer_trusted"],
"policy": { "actions": ["allow", "label"] },
"event_id": "evt_8t2k9p"
}Note signer.trusted is a policy decision (is this signer in your trust list?), not a property of the signature. A valid signature on its own yields provenance_present_untrusted until you choose to trust the signer. See Core concepts.
3 · Sign your own media
client.sign(bytes, opts) attaches a Content Credential, appends a record to the transparency log, and returns the credentialed bytes plus a receipt. If your content involved AI, disclose it. Disclosure co-exists with a verified verdict and is the honest default.
import { readFile, writeFile } from "node:fs/promises";
import { SignataClient } from "@signata/sdk";
const client = new SignataClient({ apiKey: process.env.SIGNATA_API_KEY! });
const bytes = await readFile("render.png");
const receipt = await client.sign(bytes, {
title: "Quarterly report cover",
// Disclose AI involvement honestly; this co-exists with a "verified" verdict.
ai: { generated: true },
});
// Persist the credentialed bytes so others can verify them later.
await writeFile("render.signed.png", Buffer.from(receipt.credentialed_asset_base64, "base64"));
console.log(receipt.asset.hash); // the content hash to recover by
console.log(receipt.transparency.seq); // position in the transparency log
console.log(receipt.transparency.log_root); // the log root after this append4 · Recover by content hash
Platforms routinely strip metadata. If a credentialed asset loses its embedded manifest, you can still recover its provenance from the transparency log by the asset’s content hash. This is the soft binding.
# Soft binding: recover provenance by content hash, even if the
# embedded metadata was stripped somewhere in transit.
curl -sS https://app.signata.dev/api/v1/provenance/b1946ac9...d8e0f3a2 \
-H "x-signata-api-key: pk_live_xxx"Recovery is best-effort: it only succeeds for assets Signata issued and only while the bytes hash to the same value. A re-encoded copy will hash differently and will not match. See the transparency log and threat model.
Next steps
Read Core concepts to understand bindings and trust, browse the full API reference, or wire the SDK’s badge and middleware into your app. Before you put anything in front of users, read Limits & honest positioning.