> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Mint Receipt

> Create a cryptographically signed, transparency-log-anchored receipt event.

Creates a cryptographically signed, transparency-log-anchored receipt event. Receipts are validated against the registered receipt type schema before signing.

### Receipt types

| Type                     | Name                   | Required Fields                                                   |
| ------------------------ | ---------------------- | ----------------------------------------------------------------- |
| `payment_receipt`        | Payment Receipt        | `amount`, `currency`, `provider`, `provider_reference`, `subject` |
| `security_event_receipt` | Security Event Receipt | `event_type`, `severity`, `subject`, `outcome`                    |
| `delivery_receipt`       | Delivery Receipt       | `item_reference`, `recipient`, `delivery_method`, `delivered_at`  |
| `compliance_receipt`     | Compliance Receipt     | `check_type`, `subject`, `result`, `framework`                    |
| `custom_receipt`         | Custom Receipt         | `subject`, `event`                                                |

## Headers

<ParamField header="Idempotency-Key" type="string" required>
  UUID for idempotent minting. If you submit the same key twice, the original receipt is returned.
</ParamField>

## Request

<ParamField body="issuer_id" type="string" required>
  UUID of the issuer signing the receipt.
</ParamField>

<ParamField body="kid" type="string" required>
  Key ID of the signing key.
</ParamField>

<ParamField body="alg" type="string" required>
  Signing algorithm: `Ed25519`, `ES256`, or `RS256`.
</ParamField>

<ParamField body="receipt_type" type="string" required>
  Receipt type name (e.g. `payment_receipt`, `security_event_receipt`, or a custom type).
</ParamField>

<ParamField body="subject" type="string" required>
  Subject identifier for the receipt.
</ParamField>

<ParamField body="payload" type="object" required>
  Receipt payload — validated against the receipt type's JSON Schema.
</ParamField>

<ParamField body="metadata" type="object">
  Optional metadata attached to the receipt envelope.
</ParamField>

## Response

<ResponseField name="receipt_id" type="string">UUID of the created receipt.</ResponseField>
<ResponseField name="receipt_type" type="string">The receipt type name.</ResponseField>
<ResponseField name="status" type="string">`active`</ResponseField>
<ResponseField name="issuer_id" type="string">UUID of the signing issuer.</ResponseField>
<ResponseField name="subject" type="string">Subject identifier.</ResponseField>
<ResponseField name="signature" type="object">Cryptographic signature: `alg`, `kid`, `value`.</ResponseField>
<ResponseField name="issued_at" type="string">ISO 8601 timestamp.</ResponseField>

### Webhook event

A `receipt.created` webhook event is delivered to all configured endpoints after a successful mint.


## OpenAPI

````yaml mint-openapi.yaml POST /v1/receipts
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/receipts:
    post:
      tags:
        - Receipts
      summary: Mint receipt
      description: >-
        Creates a cryptographically signed, transparency-log-anchored receipt
        event.
      operationId: receipts.mint
      parameters:
        - name: Idempotency-Key
          in: header
          required: true
          schema:
            type: string
          description: UUID for idempotent minting
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - issuer_id
                - kid
                - alg
                - receipt_type
                - subject
                - payload
              properties:
                issuer_id:
                  type: string
                  description: UUID of the issuer signing the receipt
                kid:
                  type: string
                  description: Key ID of the signing key
                alg:
                  $ref: '#/components/schemas/SigningAlgorithm'
                  description: Signing algorithm
                receipt_type:
                  type: string
                  description: Receipt type name
                subject:
                  type: string
                  description: Subject identifier
                payload:
                  type: object
                  description: Receipt payload validated against schema
                metadata:
                  type: object
                  description: Optional metadata
      responses:
        '201':
          description: Receipt created
          content:
            application/json:
              schema:
                type: object
                properties:
                  receipt_id:
                    type: string
                  receipt_type:
                    type: string
                  status:
                    type: string
                  issuer_id:
                    type: string
                  subject:
                    type: string
                  signature:
                    type: object
                    properties:
                      alg:
                        type: string
                      kid:
                        type: string
                      value:
                        type: string
                  issued_at:
                    type: string
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '422':
          description: Schema validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    SigningAlgorithm:
      type: string
      enum:
        - Ed25519
        - ES256
        - ES384
        - ES512
        - RS256
        - RS384
        - RS512
        - PS256
        - PS384
        - PS512
      description: Signing algorithm for key generation
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````