EPM v1.0 — Evidence Pack Manifest
A universal standard for packaging, signing, and verifying evidence artifacts across RLUSD integrity and supply chain carbon domains.
Data Infrastructure Only. EPM provides data signals and indicators. It is not certification of any kind or legal advice.
Why EPM?
- Unified schema across multiple evidence domains
- Jurisdiction-aware metadata (EU, UK, US, Global)
- DSSE envelope for cryptographic signatures
- RFC 8785 JCS for deterministic hashing
- CloudEvents-compatible webhooks
Required Fields
| Field | Type | Description |
|---|---|---|
| epm_version | string | Always "1.0" |
| manifest_id | string | Unique ID (EPM-TYPE-TIMESTAMP) |
| type | enum | rlusd.integrity, carbon.supplychain, rwa.health |
| issued_at | datetime | ISO 8601 UTC timestamp |
| issuer | object | {id, name, lei?} |
| subject | object | {id, type} |
Recommended Fields
| Field | Description |
|---|---|
| jurisdiction | EU, UK, US, GLOBAL, or ISO-3166 |
| handling | {class: PUBLIC|INTERNAL|CONFIDENTIAL, retention_days} |
| sources[] | Data provenance [{name, uri, retrieved_at}] |
| anchors[] | Blockchain proofs [{chain, txid}] |
| attestors[] | Signers [{role, id, signature_ref}] |
| manifest_hash | JCS canonical SHA-256 hash |
| disclaimer_ref | URL to legal disclaimer |
Demo: Try It Live
Get a fresh evidence pack and verify it:
# 1. Get fresh DSSE (unique manifest_id each call) curl https://api.feedoracle.io/api/v1/epm/example/fresh # 2. First verify → PASS curl -X POST -H "Content-Type: application/json" \ -d @fresh.json https://api.feedoracle.io/api/v1/epm/verify # 3. Second verify (same ID) → REPLAY_DETECTED
Replay Protection: Each manifest_id can only be verified once. This prevents replay attacks.
Verify Endpoint
POST /api/v1/epm/verify
Content-Type: application/json
{
"payloadType": "application/vnd.feedoracle.epm+json",
"payload": "<base64-manifest>",
"signatures": [{"keyid": "feedoracle-master-2026", "sig": "..."}]
}
Response Status Codes
| Endpoint | Success | Error |
|---|---|---|
| POST /verify | PASS (all sigs valid), PARTIAL (structure ok, some sigs failed) | status: FAIL (400) or REPLAY_DETECTED (409) |
| GET /manifest/{id} | status: OK + manifest object | error.code: NOT_FOUND (404) |
| GET /example/fresh | Always returns fresh DSSE | — |
Manifest Fetch Endpoint
GET /api/v1/epm/manifest/{manifest_id}
# Response (200)
{
"status": "OK",
"manifest_id": "EPM-RLUSD-20260130",
"manifest": { ... },
"retrieved_at": "2026-01-30T23:00:00Z"
}
# Response (404)
{
"status": "FAIL",
"error": { "code": "NOT_FOUND", "message": "Manifest ... not found" }
}
TTL: Manifests are cached for 1 hour after creation or verification.