🚀 Start Certifying in 2 Minutes

✓ JSON response in <3s ✓ eIDAS Qualified TSA + Tezos blockchain ✓ Evidence Pack verifiable offline

Enterprise? contact@sbix.io

Quick Example

curl -X POST https://certify.sbix.io/api/certify \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"leaves":["your_sha256_hash"]}'

# Response (201 Created)
{
  "proof_id": "proof_9cec4ed9a95e4ed8",
  "merkle_root": "6e8f29ea6206...",
  "tsa_type": "eIDAS Qualified",
  "eidas_qualified": true
}

🔌 API Reference

Integrate document certification into your applications

v6.2 ✓ Production Live

Overview Authentication Endpoints Certify Retrieve Evidence Pack Verify Errors

Overview

The SBIX Certify API creates cryptographic proof-of-existence for your data. One API call delivers triple-anchored evidence: eIDAS Qualified Timestamp, Tezos Mainnet blockchain, and Aleph.im/IPFS decentralized storage.

Base URL:

https://certify.sbix.io

🔐

Secure

TLS 1.3, Bearer token auth

🇪🇺

eIDAS

EU qualified timestamps

⛓️

Blockchain

Tezos Mainnet + Aleph.im

🔍

Public Verify

No-auth verification portal

What You Get Per API Call

Layer	Technology	Legal Value
Qualified Timestamp	RFC-3161 via QTSA.eu (EU Trusted List)	Article 41 eIDAS — court-admissible in 27 EU states
Blockchain	Tezos Mainnet	Tamper-proof, independently verifiable
Decentralized Storage	Aleph.im / IPFS	Resilient, censorship-resistant

Quick Start

cURL • Certify a hash

# Certify a SHA-256 hash in one request
curl -X POST https://certify.sbix.io/api/certify \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"leaves":["e3b0c44298fc1c149afbf4c8996fb924..."], "leaves_hashed": true}'

Authentication

All API calls require a Bearer token in the Authorization header. The public verification portal (/verify/{proof_id}) requires no authentication.

Authorization Header

Authorization: Bearer sbix_live_xxxxxxxxxxxxxxxx

⚠️ Keep your API key secret!

Never expose your API key in client-side code or public repositories.

Getting Your API Key

Log in to your Dashboard
Go to API Keys section
Click "Generate New API Key"
Copy the key immediately (shown only once)

API Key Format

Format

sbix_live_<64_hex_characters>

Example:
sbix_live_7efbd6230039b2dd745b1c4334ef1713a770f245204476a5b881eef0b32c4fc6

Endpoints

🔐 Certify API — Authenticated

Base URL: https://certify.sbix.io

Method	Endpoint	Description
POST	`/api/certify`	Create a proof (main endpoint)
GET	`/api/proof/{proof_id}`	Retrieve proof details
GET	`/api/export/proof/{proof_id}.json`	Download proof JSON file
GET	`/api/v1/certificates/{proof_id}/evidence-pack`	Download Evidence Pack (8-file ZIP)

🔍 Public Verification — No Auth Required

✓ No authentication required — share these URLs with anyone

Method	Endpoint	Description
GET	`/verify/{proof_id}`	Public verification page (human-readable)
GET	`/api/v1/verify/{proof_id}`	Public verification API (JSON response)
GET	`/api/v1/health`	Health check (service status)

POST /api/certify

The main endpoint. Accepts one or more data items, builds a Merkle tree, timestamps the root with an eIDAS Qualified TSA, and anchors it on Tezos Mainnet.

POST https://certify.sbix.io/api/certify

Parameters

Parameter	Type	Required	Description
`leaves`	string[]	Yes	Array of data to certify (hashes or text). Max 10,000 items.
`leaves_hashed`	boolean	No	If true, leaves are already SHA-256 hex hashes (skip re-hashing)
`filename`	string	No	Label for the proof (e.g., original filename)
`case_reference`	string	No	Legal case reference (e.g., "CASE-2026-001")
`requester_name`	string	No	Identity of the person requesting certification
`requester_hash_only`	boolean	No	If true, only stores a hash of requester_name (privacy mode)

💡 Merkle Batching

Whether you send 1 leaf or 10,000 leaves, exactly 1 timestamp token is consumed. The Merkle tree compresses N items into 1 root. Ideal for batching large volumes.

Request — Single hash

cURL

curl -X POST https://certify.sbix.io/api/certify \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "leaves": ["e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"],
    "filename": "contract_v3.pdf",
    "leaves_hashed": true
  }'

Request — Batch (multiple items)

cURL

curl -X POST https://certify.sbix.io/api/certify \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "leaves": [
      "hash_of_document_1",
      "hash_of_document_2",
      "hash_of_document_3"
    ],
    "filename": "daily_batch_2026-02-01",
    "case_reference": "AUDIT-Q1-2026",
    "leaves_hashed": true
  }'

Response (201 Created)

JSON

{
  "message": "Proof successfully generated",
  "proof_id": "proof_9cec4ed9a95e4ed8",
  "merkle_root": "6e8f29ea62064465c81ff096609953345a8475f0cb53324833e7ea7a0604593f",
  "timestamp": "2026-02-01T13:24:55.348703Z",
  "tsa_type": "eIDAS Qualified",
  "eidas_qualified": true
}

Response Headers

Header	Description
`Location`	`/certify/proof/{proof_id}`
`ETag`	Merkle root hash
`SBIX-Signature`	`v1={hmac_signature}`
`SBIX-TSA-Type`	`eIDAS Qualified` or `Local`

🔁 Idempotency

Pass an Idempotency-Key header to prevent duplicate certifications. Same key within 24h returns the cached result.

Python Example

Python

import requests
import hashlib

API_KEY = "sbix_live_your_key_here"

# Hash a file locally
with open("document.pdf", "rb") as f:
    file_hash = hashlib.sha256(f.read()).hexdigest()

# Certify
response = requests.post(
    "https://certify.sbix.io/api/certify",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
        "leaves": [file_hash],
        "filename": "document.pdf",
        "leaves_hashed": True
    }
)

result = response.json()
print(f"Proof ID: {result['proof_id']}")
print(f"Verify:   https://certify.sbix.io/verify/{result['proof_id']}")

JavaScript Example

JavaScript / Node.js

const crypto = require('crypto');
const fs = require('fs');

const API_KEY = 'sbix_live_your_key_here';

// Hash a file
const fileHash = crypto.createHash('sha256')
  .update(fs.readFileSync('document.pdf'))
  .digest('hex');

// Certify
const response = await fetch('https://certify.sbix.io/api/certify', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${API_KEY}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    leaves: [fileHash],
    filename: 'document.pdf',
    leaves_hashed: true
  })
});

const result = await response.json();
console.log(`Proof: ${result.proof_id}`);

Retrieve Proofs

GET /api/proof/{proof_id}

Retrieve the full proof record including all anchoring details.

GET https://certify.sbix.io/api/proof/{proof_id}

cURL

curl https://certify.sbix.io/api/proof/proof_9cec4ed9a95e4ed8 \
  -H "Authorization: Bearer YOUR_API_KEY"

Returns the complete proof JSON including leaves, Merkle tree, TSA token data, blockchain anchors (Tezos TX, Aleph hash), timestamps, and HMAC signature. Response is cached as immutable — proofs are permanent.

⏳ Async Anchoring

Tezos and Aleph.im anchoring happens asynchronously (typically 30–60 seconds). The tezos_tx and aleph_hash fields may be null on immediate retrieval.

GET /api/v1/verify/{proof_id}

Public JSON verification endpoint — no authentication required. Returns proof details and verification status.

GET https://certify.sbix.io/api/v1/verify/{proof_id}

cURL

curl https://certify.sbix.io/api/v1/verify/proof_9cec4ed9a95e4ed8

Response • 200 OK

{
  "success": true,
  "data": {
    "verified": true,
    "certificate": {
      "proof_id": "proof_9cec4ed9a95e4ed8",
      "file_hash": "e3b0c44...",
      "has_eidas": true,
      "created_at": "2026-02-01T13:24:55Z",
      "blockchain_anchors": {
        "tezos": "oo...",
        "aleph": "Qm..."
      }
    }
  }
}

Evidence Pack

Download a court-ready ZIP package containing all verification artifacts. Everything needed to verify the proof independently, offline, without contacting SBIX.

GET https://certify.sbix.io/api/v1/certificates/{proof_id}/evidence-pack

cURL

curl -o evidence_pack.zip \
  https://certify.sbix.io/api/v1/certificates/proof_9cec4ed9a95e4ed8/evidence-pack \
  -H "Authorization: Bearer YOUR_API_KEY"

📦 Evidence Pack Contents (8 files)

📄

certificate.pdf A4 certificate with QR code

📋

proof.json Full cryptographic proof

⏱️

timestamp.tsr RFC-3161 TSA token (eIDAS)

🔗

anchors.json Blockchain anchoring details

📖

verify.md Instructions + eIDAS legal notice

🐍

verify.py Python verification (stdlib only)

🔧

verify.sh Bash verification script

🔒

sha256sums.txt Integrity checksums for all files

You can also download the proof JSON directly:

GET https://certify.sbix.io/api/export/proof/{proof_id}.json

💡 Legacy export

/api/export/proof/{proof_id}.zip returns a basic 2-file archive (JSON + CSV). Use the Evidence Pack endpoint above for the full 8-file package.

🔍 Public Verification

Every proof has a public verification page that anyone can access — no account, no API key, no authentication. Share this URL with third parties, auditors, or courts.

✓ No authentication required

Anyone can verify any proof. Zero vendor lock-in.

GET https://certify.sbix.io/verify/{proof_id}

Example URL

https://certify.sbix.io/verify/proof_bb0593e0d35c434f

The verification page displays proof details, all three anchoring layers (TSA, Tezos, Aleph), and download links for the PDF certificate and TSA token.

Independent Verification

Every proof can be verified without SBIX using standard tools:

Verify TSA token with OpenSSL

# Verify the RFC-3161 timestamp independently
openssl ts -verify -in timestamp.tsr -data proof.json

Verify file integrity

# Check all Evidence Pack files
sha256sum -c sha256sums.txt

Error Handling

Errors return JSON with an error field describing the problem.

Error Response Format

{
  "error": "Description of the problem"
}

Status Codes

Code	Meaning
`200`	Success
`201`	Created (proof generated)
`400`	Bad Request (missing or invalid parameters)
`401`	Unauthorized (missing or invalid API key)
`404`	Proof not found
`500`	Server error

Ready to integrate?

Get your API key and start certifying documents with blockchain + eIDAS timestamps.