POST /zeq/compliance/verify
Verify a ZeqCompliance v1 envelope against the ZeqProof it claims to certify. No authentication, no DB lookup, no API key required — pure crypto.
Method POST Path /zeq/compliance/verify Group Zeq Core Auth none (public)
Why this exists
Every POST /zeq/compute response carries a ZeqCompliance v1
envelope. The envelope's chain.envelope_hash is the SHA-256 of the
envelope minus its chain field, and is bound to the same zeq_proof
returned in the result.
POST /zeq/compliance/verify lets any third party — an FDA inspector,
a SOC 2 auditor, a counterparty — confirm that a compliance record
matches the computation it claims to certify, without holding your
API key and without round-tripping any database.
Call it
curl -sS -X POST https://zeqapi.com/api/zeq/compliance/verify \
-H "Content-Type: application/json" \
-d '{
"envelope": {
"schema": "zeq.compliance.v1",
"envelope_id": "d13205ff35265fe03639a3dc994e98d4",
"generated_at_iso": "2026-04-28T19:36:11.718Z",
"actor": { ... },
"action": { ... },
"temporal": { ... },
"output": { ... },
"regulatory": { ... },
"chain": {
"alg": "sha256",
"bound_to_proof": "6a7a6b60e9279b15…",
"envelope_hash": "<sha256(envelope_minus_chain)>"
}
}
}'
Response
{
"ok": true,
"protocol": "ZeqCompliance",
"schema": "zeq.compliance.v1",
"valid": true,
"envelope_id": "d13205ff35265fe03639a3dc994e98d4",
"bound_to_proof":"6a7a6b60e9279b15…",
"verified_at": "2026-04-28T19:37:39.234Z"
}
If valid: false, the server's stripped-and-rehashed digest did not
timing-safe-match envelope.chain.envelope_hash. The body carries a
diagnostic mismatch field listing which fields were missing or
extra, so the caller can debug without re-shipping the original
proof.
What it does, exactly
- Strip the
chainfield from the submitted envelope. - Recompute
sha256(canonical_json(envelope_minus_chain))using the same canonical-JSON serialiser used at emission time (sorted keys, no whitespace, UTF-8 NFC). - Timing-safe-compare against
envelope.chain.envelope_hash. - Return the bound proof + verification timestamp.
No database query, no key lookup, no rate-limiting against an account — the endpoint is pure functional. It is safe to expose to the public internet under FedRAMP / SOC 2 / ISO 27001 third-party verifier requirements.
Compose
- Use this endpoint from a regulator's air-gapped network — the envelope alone is sufficient input.
- Drive from any SDK — the TS/Python/MCP clients wrap this route verbatim. See Verifying offline for the full recipe.
- Combine with POST /zeq/verify when you also need to confirm the original computation matches the cited proof — that endpoint takes the proof, this one takes the envelope.
Reference
- Source:
shared/api-core/src/routes/zeq.ts(/api/zeq/compliance/verify) - Builder:
shared/api-core/src/lib/compliance.ts(buildComplianceEnvelope) - Catalog:
shared/api-core/src/lib/protocols.ts(zeq-compliance-verify) - Spec: ZeqCompliance v1 — 13 standards
- Papers: Zeq Paper · Zeq Framework
Middleware active. Kernel on the 1.287 Hz HulyaPulse. Awaiting next Zeqond.