Verifier

POST /api/v1/oris/verify/bundle

Verify an L4 ComplianceBundle (v1 Ed25519)

Verify an L4 ComplianceBundle and return a signed verdict. * 200 + verdict on every recognised input — compliance verdict is DATA, not an HTTP error. Networks branch on ``verdict``. * 422 only for malformed request shape (pydantic). * 503 if the verifier signing key is not configured. clients can cache + replay the verdict.

Auth: Ed25519 request signing. Send Authorization, X-Request-Signature, X-Timestamp, and X-Nonce headers on every call. Nonce TTL is thirty seconds.

Request body

application/json, schema: VerifyBundleRequest

Responses

Status	Description
`200`	Successful Response
`422`	Validation Error

Example request

curl -X POST 'https://api.useoris.xyz/api/v1/oris/verify/bundle' \
  -H 'Authorization: oris_sk_live_***' \
  -H 'X-Request-Signature: ***' \
  -H 'X-Timestamp: $(date +%s)' \
  -H 'X-Nonce: $(uuidgen)' \
  -H 'Content-Type: application/json' \
  -d '{...}'

GET /api/v1/oris/verify/pubkey

Get the verifier's Ed25519 pubkey for response sig verify

Return the verifier's public Ed25519 key. Clients SHOULD cache this for ~24 hours (rotations align with the operator's Vault key rotation runbook; clients re-fetch on cache-expiry or signature-verification failure). The response fields advertise the canonicalisation rule so clients can re-encode response payloads identically.

Auth: Ed25519 request signing. Send Authorization, X-Request-Signature, X-Timestamp, and X-Nonce headers on every call. Nonce TTL is thirty seconds.

Responses

Status	Description
`200`	Successful Response

Example request

curl -X GET 'https://api.useoris.xyz/api/v1/oris/verify/pubkey' \
  -H 'Authorization: oris_sk_live_***' \
  -H 'X-Request-Signature: ***' \
  -H 'X-Timestamp: $(date +%s)' \
  -H 'X-Nonce: $(uuidgen)'