Open Protocol · MIT License

Cryptographic trust
for every API response.

OpenProof adds ECDSA signatures to API responses so any client can verify data integrity — provably, without trusting the transport layer.

Get started Read the spec
API response · data
{
  "symbol": "ETH",
  "price": 2081.41,
  "change_24h": -4.71
}
API response · _trust envelope
{
  "call_id":      "op_abc123def456",
  "endpoint":     "/v1/price/ETH",
  "payload_hash": "sha256:9f86d0...",
  "timestamp":    1711234567,
  "signer":       "0xdb9B33...",
  "signature":    "0x3ad7f1..."
}
The _trust envelope proves the response came from the claimed signer and the data field was not modified after signing.
Protocol

How OpenProof works

Four deterministic steps. No certificate authorities. No trusted intermediaries.

01

Canonical JSON

Response data serialized with sorted keys, no whitespace — identical payloads always produce identical hashes.

02

SHA-256 hash

Any modification — even a single character — produces a completely different hash.

03

ECDSA signature

Hash signed with secp256k1 (Ethereum-compatible). Signer's address included in the envelope.

04

Verify anywhere

Anyone recovers the signer address from the signature and compares to the declared signer. No API call required.

Features

Built for the agentic web

Every decision an AI agent makes is only as trustworthy as the data it received.

Tamper-evident

Any modification to response data — by a proxy, CDN, or man-in-the-middle — invalidates the signature immediately.

Replay protection

Unique call_id and timestamp. Duplicate responses and stale data automatically rejected.

Zero latency overhead

Signing is in-process with no external calls. Adds less than 1ms to any response time.

Language agnostic

Reference implementations in Python and TypeScript. Any language with ECDSA support can implement OpenProof.

Auditable decisions

Every signed response is a cryptographic receipt. Agents prove exactly what data informed each decision.

No PKI required

Uses Ethereum-compatible ECDSA. Any wallet address is a valid signing identity. No certificate authorities.

Get started

Verify in three lines

Install the verification library. Works with any OpenProof-compliant API.

$ npm install openproof-verify click to copy
// Verify any OpenProof-compliant API response const { verifyResponse } = require('openproof-verify') const response = await fetch('https://your-api.com/v1/data') const json = await response.json() const result = verifyResponse(json) // → { valid: true, signer: '0xdb9B33...', signed_at: 1711234567 } if (result.valid) { console.log('✓ Verified — signed by', result.signer) } else { console.error('✗', result.reason) }
Ecosystem

OpenProof-compliant APIs

APIs that include a verified _trust envelope on every response.

Loading...

Want to list your API? Implement OpenProof and open a PR to registry.json.

Start verifying responses today.

OpenProof is MIT licensed and free for any use. Implement it in your API in under an hour.

npm install openproof-verify Read the spec →
Contact

Questions or feedback?

Tell us how you are using OpenProof, report an issue, or suggest a feature.

support@yantrix.ai Open a GitHub issue