> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Deepfake & impersonation scan

> Submit a subject for deepfake and impersonation analysis. Returns scores, verdict, and indicators. Automatically ingests a risk signal if scores exceed the auto-trigger threshold (60).

## How detection works

Scans use a **heuristic signal engine** (`heuristic_v1`) that accepts caller-provided signals (from external ML models, rule engines, or manual review) and maps them to weighted scores:

* **Deepfake indicators:** face swap, inconsistent lighting, compression artifacts, temporal inconsistency, metadata mismatch
* **Impersonation indicators:** biometric mismatch, name mismatch, identity doc mismatch, issuer trust violation

Scores ≥ 75 set verdict `deepfake` or `impersonation`. Scores ≥ 40 set `suspect`. Scores ≥ 60 automatically ingest a risk signal.

You can also bypass heuristic analysis by passing pre-computed `deepfake_score` and `impersonation_score` values directly. The platform still applies the same verdict thresholds and automatic signal ingestion.

See the [deepfake detection guide](/guides/deepfake-detection) for the full workflow, indicator reference, and additional examples.

## Request

<ParamField body="subject_ref" type="string" required>
  Reference to the subject being scanned — URL, SHA-256 hash, attestation ID, or any opaque identifier.
</ParamField>

<ParamField body="subject_type" type="string" required>
  Type of subject: `image`, `video`, `document`, `attestation`, `identity`
</ParamField>

<ParamField body="signals" type="array">
  Array of indicator strings from your external model or rules engine (e.g. `["face_swap_detected", "metadata_mismatch"]`). When provided without pre-computed scores, the heuristic engine maps these to weighted deepfake and impersonation scores.
</ParamField>

<ParamField body="attestation_id" type="string">
  UUID of an attestation to associate with this scan result. Use this to tie detection results to the credential they relate to.
</ParamField>

<ParamField body="deepfake_score" type="integer">
  Pre-computed deepfake score (0–100) from an external model. If provided along with `impersonation_score`, heuristic analysis is skipped.
</ParamField>

<ParamField body="impersonation_score" type="integer">
  Pre-computed impersonation score (0–100) from an external model.
</ParamField>

## Response

<ResponseField name="scan_id" type="string">UUID of the scan result.</ResponseField>
<ResponseField name="subject_ref" type="string">The subject reference that was scanned.</ResponseField>
<ResponseField name="subject_type" type="string">Type of subject: `image`, `video`, `document`, `attestation`, `identity`</ResponseField>
<ResponseField name="deepfake_score" type="integer">Deepfake probability score (0–100).</ResponseField>
<ResponseField name="impersonation_score" type="integer">Impersonation probability score (0–100).</ResponseField>
<ResponseField name="verdict" type="string">`authentic` | `suspect` | `deepfake` | `impersonation`</ResponseField>
<ResponseField name="indicators" type="array">List of triggered indicators from the scan.</ResponseField>
<ResponseField name="detection_model" type="string">Detection model used (e.g. `heuristic_v1`).</ResponseField>
<ResponseField name="signal_id" type="string">UUID of the auto-ingested risk signal (only present when score ≥ 60).</ResponseField>
<ResponseField name="attestation_id" type="string">UUID of the linked attestation, if one was provided during the scan.</ResponseField>
<ResponseField name="created_at" type="string">ISO 8601 timestamp of when the scan was performed.</ResponseField>


## OpenAPI

````yaml mint-openapi.yaml POST /v1/risk/deepfake/scan
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/risk/deepfake/scan:
    post:
      tags:
        - Risk
      summary: Deepfake scan
      description: Submits media for deepfake detection analysis.
      operationId: risk.deepfake.scan
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - subject_ref
                - media_url
              properties:
                subject_ref:
                  type: string
                  description: Reference identifier for the subject
                media_url:
                  type: string
                  description: URL of the media to scan
                media_type:
                  type: string
                  enum:
                    - image
                    - video
                    - audio
                callback_url:
                  type: string
                  description: Webhook URL for async results
      responses:
        '202':
          description: Scan initiated
          content:
            application/json:
              schema:
                type: object
                properties:
                  scan_id:
                    type: string
                  status:
                    type: string
                  subject_ref:
                    type: string
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````