Attestation API v2
Enterprise Data Origin Integrity
Scope Disclaimer
FeedOracle provides transport integrity proofs, not content verification. We prove THAT data was received from a source, not WHAT the data means.
| Yes We Prove | — We Don't Prove |
|---|---|
| TLS connection to source server | Accuracy of source data content |
| Data hash at time of fetch | Financial solvency |
| Signature chain integrity | Regulatory compliance |
| On-chain anchoring timestamp | Future data availability |
⚡ Verify in 60 Seconds
Step 1: Run integrity test
curl https://api.feedoracle.io/api/v2/attestation/test | jq '.all_pass' # Expected: true
Step 2: Get on-chain anchor
curl https://api.feedoracle.io/api/v2/attestation/anchor/latest | jq '.anchor.tx_hash' # Returns anchor TX hash - verify on XRPL explorer
Step 3: Verify a payload hash
curl https://api.feedoracle.io/api/v2/attestation/verify/{YOUR_HASH}
# Returns envelope if foundEndpoints
| Endpoint | Description | Auth |
|---|---|---|
/api/v2/attestation/test | Run integrity test on all sources | Public |
/api/v2/attestation/attacks | 4-vector attack simulation | Public |
/api/v2/attestation/sources | List attested sources + TLS policies | Public |
/api/v2/attestation/merkle | Current Merkle root | Public |
/api/v2/attestation/anchor/latest | Latest on-chain anchor | Public |
/api/v2/attestation/verify/{hash} | Verify payload hash (64 hex) | Public |
/api/v2/attestation/disclaimer | Legal scope | Public |
Response Examples
GET /api/v2/attestation/test
{
"schema_version": "attestation-envelope/1.0",
"test": "DATA_ORIGIN_INTEGRITY",
"all_pass": true,
"results": [{
"source_id": "btc_hashrate",
"status": "PASS",
"sig_valid": true,
"tamper_ok": true,
"tls_fp": "9faf4297...64hex",
"hash": "ca4b4b4d...64hex",
"sig": "31a11aaf...64hex"
}]
}
GET /api/v2/attestation/attacks
{
"test": "ATTACK_SUITE",
"all_pass": true,
"results": [
{"attack": "TAMPER", "ok": true},
{"attack": "CERT_SWAP", "ok": true},
{"attack": "REPLAY", "ok": true},
{"attack": "SIG_STRIP", "ok": true}
]
}
GET /api/v2/attestation/anchor/latest
{
"schema_version": "attestation-envelope/1.0",
"anchor": {
"chain": "xrpl",
"contract": "0xE1eAC4435716B1B8F358D280ab87FB04FEa7b93C",
"tx_hash": "0xdb7f5ab85c55a78e9b6d5e202d98bf02...",
"block": 81721330,
"timestamp": "2026-01-16T11:23:52Z",
"data_hash": "6f2957bac3a775ea5deed8ee0b068d19...",
"polygonscan": "https://polygonscan.com/tx/0xdb7f5ab..."
}
}
Attack Suite Details
| Attack | Threat Model | Detection Signal |
|---|---|---|
| TAMPER | Attacker modifies payload after fetch | Signature mismatch (HMAC fails) |
| CERT_SWAP | Attacker presents different TLS cert | Issuer not in allowlist |
| REPLAY | Attacker reuses old attestation | Timestamp outside window |
| SIG_STRIP | Attacker removes signature field | Missing signature detected |
Attestation Envelope Schema
{
"schema_version": "attestation-envelope/1.0",
"request_id": "uuid-v4",
"source_id": "btc_hashrate",
"source_url": "https://mempool.space/api/v1/mining/hashrate/1w",
"as_of": "2026-01-25T18:30:00Z",
"fetched_at": "2026-01-25T18:30:00Z",
"tls": {
"fingerprint_sha256": "9faf4297...64hex",
"issuer": "Sectigo Limited",
"tls_version": "TLSv1.3",
"cipher_suite": "TLS_AES_256_GCM_SHA384"
},
"payload_hash_sha256": "ca4b4b4d...64hex",
"payload_size_bytes": 1234,
"signature": "31a11aaf...64hex (HMAC-SHA256)",
"sig_alg": "HMAC-SHA256",
"signing_key_id": "fo-prod-2026-01",
"verification_status": "VERIFIED",
"tamper_status": "INTACT",
"mitm_detected": false,
"warnings": []
}
Canonical JSON Rules
For signature verification, JSON must be serialized deterministically:
- Encoding: UTF-8
- Key order: Alphabetical (sort_keys=True)
- Separators: Compact -
(',', ':') - ASCII: ensure_ascii=True
Related
- Contracts & Anchors - Single source of truth for contract addresses
- OpenAPI Spec
- Postman Collection