Zum Hauptinhalt springen

POST /zeq/compliance/verify

Verify a ZeqCompliance v1 envelope against the ZeqProof it claims to certify. No authentication, no DB lookup, no API key required — pure crypto.

Method POST Path /zeq/compliance/verify Group Zeq Core Auth none (public)

Why this exists

Every POST /zeq/compute response carries a ZeqCompliance v1 envelope. The envelope's chain.envelope_hash is the SHA-256 of the envelope minus its chain field, and is bound to the same zeq_proof returned in the result.

POST /zeq/compliance/verify lets any third party — an FDA inspector, a SOC 2 auditor, a counterparty — confirm that a compliance record matches the computation it claims to certify, without holding your API key and without round-tripping any database.

Call it

curl -sS -X POST https://zeqapi.com/api/zeq/compliance/verify \
  -H "Content-Type: application/json" \
  -d '{
    "envelope": {
      "schema": "zeq.compliance.v1",
      "envelope_id": "d13205ff35265fe03639a3dc994e98d4",
      "generated_at_iso": "2026-04-28T19:36:11.718Z",
      "actor": { ... },
      "action": { ... },
      "temporal": { ... },
      "output": { ... },
      "regulatory": { ... },
      "chain": {
        "alg": "sha256",
        "bound_to_proof": "6a7a6b60e9279b15…",
        "envelope_hash":  "<sha256(envelope_minus_chain)>"
      }
    }
  }'

Response

{
  "ok":            true,
  "protocol":      "ZeqCompliance",
  "schema":        "zeq.compliance.v1",
  "valid":         true,
  "envelope_id":   "d13205ff35265fe03639a3dc994e98d4",
  "bound_to_proof":"6a7a6b60e9279b15…",
  "verified_at":   "2026-04-28T19:37:39.234Z"
}

If valid: false, the server's stripped-and-rehashed digest did not timing-safe-match envelope.chain.envelope_hash. The body carries a diagnostic mismatch field listing which fields were missing or extra, so the caller can debug without re-shipping the original proof.

What it does, exactly

  1. Strip the chain field from the submitted envelope.
  2. Recompute sha256(canonical_json(envelope_minus_chain)) using the same canonical-JSON serialiser used at emission time (sorted keys, no whitespace, UTF-8 NFC).
  3. Timing-safe-compare against envelope.chain.envelope_hash.
  4. Return the bound proof + verification timestamp.

No database query, no key lookup, no rate-limiting against an account — the endpoint is pure functional. It is safe to expose to the public internet under FedRAMP / SOC 2 / ISO 27001 third-party verifier requirements.

Compose

  • Use this endpoint from a regulator's air-gapped network — the envelope alone is sufficient input.
  • Drive from any SDK — the TS/Python/MCP clients wrap this route verbatim. See Verifying offline for the full recipe.
  • Combine with POST /zeq/verify when you also need to confirm the original computation matches the cited proof — that endpoint takes the proof, this one takes the envelope.

Reference

  • Source: shared/api-core/src/routes/zeq.ts (/api/zeq/compliance/verify)
  • Builder: shared/api-core/src/lib/compliance.ts (buildComplianceEnvelope)
  • Catalog: shared/api-core/src/lib/protocols.ts (zeq-compliance-verify)
  • Spec: ZeqCompliance v1 — 13 standards
  • Papers: Zeq Paper · Zeq Framework

Middleware active. Kernel on the 1.287 Hz HulyaPulse. Awaiting next Zeqond.