Skip to main content
POST
/
v1
/
attestations
/
mint
Mint Attestation
curl --request POST \
  --url https://api.truthlocks.com/v1/attestations/mint \
  --header 'Content-Type: application/json' \
  --header 'Idempotency-Key: <idempotency-key>' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "issuer_id": "550e8400-e29b-41d4-a716-446655440000",
  "kid": "es256-key-1",
  "alg": "ES256",
  "schema": "verifiable-id",
  "claims": {
    "full_name": "",
    "employee_id": "",
    "department": "",
    "title": "",
    "start_date": ""
  },
  "recipient_email": "jsmith@example.com",
  "document_hash": "<string>",
  "pack_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "content_type": "application/json"
}
'
{
  "id": "660e8400-e29b-41d4-a716-446655440001",
  "issuer_id": "550e8400-e29b-41d4-a716-446655440000",
  "kid": "ed-key-1",
  "status": "VALID",
  "log_index": 42,
  "created_at": "2026-01-13T12:00:00Z"
}
Creates a new cryptographically signed attestation. The attestation is signed using the specified issuer key and recorded in the transparency log with a unique log index for auditability.

Supported Content Payloads

Attestations can be minted for any file type. Include the SHA-256 hash in the document_hash parameter to verify offline file integrity.
Maximum Payload Size: 50 MB. The base64url-encoded payload cannot exceed 50 MB after encoding.
MIME TypeExtensionCategoryDescription
application/pdf.pdfDocumentsPDF documents, contracts, reports, invoices
application/json.jsonDocumentsStructured JSON claims (default)
image/png.pngImagesPNG images, screenshots, scanned documents
image/jpeg.jpg/.jpegImagesJPEG photos, ID scans, certificates
image/webp.webpImagesWebP images
image/tiff.tiffImagesTIFF images, high-resolution scans
video/mp4.mp4VideoMP4 video recordings, depositions, evidence
video/webm.webmVideoWebM video files
audio/mpeg.mp3AudioMP3 audio recordings, voice attestations
audio/wav.wavAudioWAV uncompressed audio
application/octet-streamanyOtherGeneric binary payload for any file type

Credential Schema Catalogue

The schema parameter determines the credential type and expected JSON claims structure.
Schema IDNameCategoryClaim Fields
verifiable-idVerifiable IDIdentityfull_name, employee_id, department, title, start_date
passportPassportIdentityfull_name, nationality, passport_number, date_of_birth, expiry_date, issuing_country
drivers-licenseDriver’s LicenseIdentityfull_name, license_number, state, class, expiry_date, date_of_birth
government-idGovernment IDIdentityfull_name, id_number, id_type, issuing_authority, country, expiry_date
self-sovereign-idSelf-Sovereign IDIdentitydid, display_name, created_at
employment-verificationEmployment VerificationEmploymentemployee_name, employer, position, department, employment_type, start_date, end_date
professional-roleProfessional RoleEmploymentfull_name, title, organization, department, effective_date
membership-cardMembership CardEmploymentmember_name, organization, membership_id, tier, valid_from, valid_to
professional-certificationProfessional CertificationEmploymentholder_name, certification_name, issuing_body, certification_id, issued_date, expiry_date
licenseLicenseEmploymentholder_name, license_type, license_number, issuing_authority, jurisdiction, issued_date, expiry_date
accreditationAccreditationEmploymententity_name, accreditation_body, standard, scope, valid_from, valid_to
degreeDegreeEducationstudent_name, institution, degree_type, field_of_study, graduation_date, honors
completion-certCompletion CertificateEducationparticipant_name, program_name, institution, completion_date, hours
course-creditCourse CreditEducationstudent_name, course_name, institution, credits, grade, semester
transcriptTranscriptEducationstudent_name, institution, program, gpa, total_credits, issue_date
micro-credentialMicro-CredentialEducationearner_name, credential_name, issuer, skills, earned_date
training-completionTraining CompletionEducationtrainee_name, training_program, provider, completion_date, score, certificate_id
medical-licenseMedical LicenseHealthcarepractitioner_name, license_number, specialty, state, issued_date, expiry_date
dea-registrationDEA RegistrationHealthcareregistrant_name, dea_number, schedules, business_activity, expiry_date
board-certificationBoard CertificationHealthcarephysician_name, board, specialty, certification_date, expiry_date
health-credentialHealth CredentialHealthcarepatient_name, credential_type, provider, date, details
vaccination-recordVaccination RecordHealthcarepatient_name, vaccine_name, manufacturer, lot_number, date_administered, dose_number, site
aml-kycAML/KYC CheckComplianceentity_name, check_type, result, risk_level, verified_by, verified_at
security-clearanceSecurity ClearanceComplianceholder_name, clearance_level, granting_agency, granted_date, expiry_date
sam-govSAM.gov RegistrationComplianceentity_name, cage_code, uei, registration_status, expiry_date
jurisdiction-approvalJurisdiction ApprovalComplianceentity_name, jurisdiction, approval_type, approved_date, conditions
attestation-of-willAttestation of WillCompliancedeclarant_name, declaration, witness, date
bank-verificationBank VerificationFinancialaccount_holder, bank_name, account_type, routing_number_last4, verified_date
credit-attestationCredit AttestationFinancialentity_name, credit_score_range, reporting_agency, assessment_date
income-verificationIncome VerificationFinancialindividual_name, employer, annual_income_range, verification_date, tax_year
skill-badgeSkill BadgeSkills & Trainingearner_name, skill_name, proficiency_level, assessed_by, earned_date
competencyCompetency AttestationSkills & Trainingindividual_name, competency, level, assessor, assessment_date
industry-certIndustry CertificationSkills & Trainingholder_name, certification, issuing_body, cert_id, issued_date, expiry_date
product-authenticityProduct AuthenticitySupply Chainproduct_name, sku, serial_number, manufacturer, manufactured_date, origin_country
chain-of-custodyChain of CustodySupply Chainitem_description, from_entity, to_entity, transfer_date, location, condition
origin-verificationOrigin VerificationSupply Chainproduct_name, origin_country, origin_region, certifying_body, verified_date
customCustomOthersubject, type, details
attestationGeneric AttestationOthersubject, claim, evidence

Document hash for file integrity

When attesting a document or file, include the document_hash parameter with the hex-encoded SHA-256 hash of the original file. Verifiers can then confirm the file has not been altered by comparing their computed hash against the stored value — without needing the full payload. The platform resolves the document hash using the following priority:
  1. claims.document.sha256 inside the JSON payload
  2. The explicit document_hash field on the request body
  3. Auto-computed SHA-256 of the raw payload bytes (fallback)
For best results, always compute the hash client-side and pass it explicitly: 
# Compute the SHA-256 hash of a file
HASH=$(shasum -a 256 contract.pdf | awk '{print $1}')

curl -X POST https://api.truthlocks.com/v1/attestations/mint \
  -H "X-API-Key: tl_live_..." \
  -H "Idempotency-Key: unique-request-id" \
  -H "Content-Type: application/json" \
  -d '{
    "issuer_id": "550e8400-e29b-41d4-a716-446655440000",
    "kid": "ed-key-2026",
    "alg": "Ed25519",
    "document_hash": "'"$HASH"'",
    "payload_b64url": "<base64url-encoded file bytes>",
    "content_type": "application/pdf"
  }'
At verification time, pass the same hash as document_hash_hex to the Verify endpoint to confirm file integrity without re-uploading the file.
If you omit document_hash and don’t include claims.document.sha256 in your payload, the platform computes the hash automatically from the raw payload bytes. Passing it explicitly is recommended because it ensures the hash matches the original file before any base64url encoding.

Example: Email Credential Delivery (B2C)

1

Issuer mints via API

Include recipient_email in the request body
2

Account Lookup

System checks if email exists in consumer portal
3

Delivery & Notification

Existing users receive inbox notifications. New users receive a signup invite holding their pending attestations.
The recipient_email is entirely optional. If omitted, you must deliver the attestation URLs to your users manually.

Authorizations

X-API-Key
string
header
required

API key for machine-to-machine authentication

Headers

Idempotency-Key
string
required

Body

application/json
issuer_id
string<uuid>
required

The UUID of the issuer creating the attestation

Example:

"550e8400-e29b-41d4-a716-446655440000"

kid
string
required

Key identifier for the signing key

Example:

"es256-key-1"

alg
enum<string>
required

Cryptographic algorithm used for signing

Available options:
Ed25519,
ES256,
ES384,
ES512,
RS256,
RS384,
RS512,
PS256,
PS384,
PS512
Example:

"ES256"

schema
enum<string>
required

Credential schema type (e.g. verifiable-id, passport, degree, aml-kyc). See full list below.

Available options:
verifiable-id,
passport,
drivers-license,
government-id,
self-sovereign-id,
employment-verification,
professional-role,
membership-card,
professional-certification,
license,
accreditation,
degree,
completion-cert,
course-credit,
transcript,
micro-credential,
training-completion,
medical-license,
dea-registration,
board-certification,
health-credential,
vaccination-record,
aml-kyc,
security-clearance,
sam-gov,
jurisdiction-approval,
attestation-of-will,
bank-verification,
credit-attestation,
income-verification,
skill-badge,
competency,
industry-cert,
product-authenticity,
chain-of-custody,
origin-verification,
custom,
attestation
Example:

"verifiable-id"

claims
object
required

The structured claims for this credential. Fields depend on the selected schema. See schema catalogue below.

Example:
{
  "full_name": "",
  "employee_id": "",
  "department": "",
  "title": "",
  "start_date": ""
}
recipient_email
string<email>

Email address of the credential recipient. When provided, the platform sends a notification email with a link to view the attestation on the consumer portal (verify.truthlocks.com). If the recipient does not have a consumer portal account, they receive an invitation to sign up. This enables B2C credential delivery workflows.

document_hash
string

Hex-encoded SHA-256 hash of the document or file being attested. Used for document integrity verification — verifiers can recompute the hash of the original file and compare it against this stored value. If omitted, the system checks for claims.document.sha256 in the payload, and if that is also absent, auto-computes the SHA-256 of the raw payload bytes. For best results, compute the hash client-side before base64url-encoding the payload.

pack_id
string<uuid>

UUID of the verification pack to link this attestation to. The pack must be in 'active' status. When provided, the pack's verifications_count is automatically incremented. Use this to organize attestations by verification program and track analytics per pack.

content_type
string

MIME type of the payload. Supported: application/json (default), application/pdf, image/png, image/jpeg, image/webp, image/tiff, video/mp4, video/webm, audio/mpeg, audio/wav, application/octet-stream. Max payload size: 50 MB.

Example:

"application/json"

Response

Attestation minted

id
string<uuid>
issuer_id
string<uuid>
kid
string
status
enum<string>
Available options:
VALID,
REVOKED,
SUPERSEDED
payload
object
signature
string
log_index
integer
created_at
string<date-time>