How does Arkova verify documents without seeing them?

Arkova uses cryptographic fingerprinting (SHA-256) that runs entirely in your browser. We only store the fingerprint, a one-way mathematical proof, never the document itself. This fingerprint is then anchored to a permanent public record.

Can anyone verify a credential?

Yes. Verification is completely open. Anyone with a verification link or QR code can confirm a document's authenticity and timestamp independently. No account or software required.

What types of documents can I anchor?

Any digital file: PDFs, images, spreadsheets, presentations, contracts, certificates, transcripts. If it has a file, it can be fingerprinted and anchored.

How is this different from DocuSign or other e-signature tools?

E-signature tools prove who signed a document. Arkova proves that a specific document existed at a specific time and has not been altered since. These are complementary. You can anchor a signed document to prove it hasn't changed after signing.

Can I integrate Arkova into my existing systems?

Absolutely. Our Verification API lets you verify credentials programmatically with a single API call. Batch endpoints support up to 100 verifications per request. Webhook notifications provide real-time events.

Your documents never leave your device. That's our foundational privacy guarantee, not just a feature. Fingerprints are anchored to a public, independently verifiable network. Even if our servers were compromised, your documents remain private because we never had them.

How does Arkova work with our existing ATS or background check workflow?

Arkova's Verification API integrates with any system that can make an HTTP call. Your ATS, HRIS, or background screening platform calls our endpoint and receives a structured, verified response. We also support webhooks for real-time status updates and batch endpoints for bulk verification.

API Reference

Last updated: 2026-03-27

Overview

Base URL: https://app.arkova.ai/api/v1

Tip

Interactive Swagger UI available at /api/docs. OpenAPI 3.0 spec downloadable at /api/docs/spec.json.

All responses are JSON. All timestamps are ISO 8601 UTC.
The verification response schema is frozen — no breaking changes without a v2 prefix and 12-month deprecation.

Authentication

Two authentication methods are supported: Bearer token and X-API-Key header.

bash

# Bearer token
curl https://app.arkova.ai/api/v1/verify/ARK-2026-001 \
  -H "Authorization: Bearer YOUR_API_KEY"

# X-API-Key header
curl https://app.arkova.ai/api/v1/verify/ARK-2026-001 \
  -H "X-API-Key: YOUR_API_KEY"

API keys are created in the dashboard under Settings → API Keys.
Keys use HMAC-SHA256 — the raw key is shown once at creation and never stored.
Scoped permissions: verify, verify:batch, keys:manage, usage:read.

Important

Never expose API keys in client-side code. Keys should only be used server-side.

Verification

GET /verify/{publicId}

Verify a single credential. Authentication is optional — an API key unlocks higher rate limits.

Response schema:

json

{
  "verified": true,
  "status": "ACTIVE",
  "issuer_name": "University of Michigan",
  "recipient_identifier": "sha256:ab3f...",
  "credential_type": "DIPLOMA",
  "issued_date": "2026-01-15T00:00:00Z",
  "expiry_date": null,
  "anchor_timestamp": "2026-03-10T08:00:00Z",
  "bitcoin_block": 204567,
  "network_receipt_id": "b8e381df09ca404e...",
  "merkle_proof_hash": null,
  "record_uri": "https://app.arkova.io/verify/ARK-2026-001",
  "jurisdiction": "US-MI"
}

Note

jurisdiction is omitted when null — it is never returned as null.

Status values: ACTIVE, REVOKED, SUPERSEDED, EXPIRED, PENDING

GET /verify/{publicId}/proof

Download the cryptographic proof package for a credential.

GET /verify/search

Semantic search across credentials — designed for AI agents, ATS platforms, and background check integrations.

GET /verify/entity

Cross-reference an entity against public records (EDGAR, Federal Register, DAPIP, OpenAlex).

Batch Verification

POST /verify/batch

Verify up to 100 credentials in a single request. Authentication is required (API key).

Request body:

json

{
  "public_ids": ["ARK-2026-001", "ARK-2026-002"]
}

Synchronous for ≤20 items. For >20 items the request is processed asynchronously and returns a job_id.

GET /jobs/{jobId}

Poll the status of an async batch verification job.

Anchoring

POST /anchor

Submit a credential fingerprint for network anchoring. Authentication is required (API key or x402). The endpoint is idempotent — it returns 200 if the fingerprint already exists.

Request body:

json

{
  "fingerprint": "a1b2c3d4e5f6...64-char-hex",
  "label": "Bachelor of Science in Computer Science",
  "credential_type": "DIPLOMA",
  "metadata": {
    "issuer": "University of Michigan",
    "issued_date": "2026-01-15"
  }
}

Attestations

Method	Endpoint	Auth	Description
`POST`	`/attestations`	Required	Create an attestation claim
`GET`	`/attestations`	Public	List with cursor-based pagination
`GET`	`/attestations/{publicId}`	Public	Retrieve a single attestation
`PATCH`	`/attestations/{publicId}/revoke`	Required (owner)	Revoke with optional reason

Types: identity, employment, education, certification, compliance.
Lifecycle: Created (active) → Expired (auto) or Revoked (manual).

AI Intelligence

Method	Endpoint	Description
`POST`	`/ai/extract`	Extract metadata from PII-stripped text (1 AI credit)
`POST`	`/ai/extract/batch`	Batch extraction
`POST`	`/ai/embed`	Generate 768-dim embedding (1 AI credit)
`GET`	`/ai/search`	Semantic search (1 AI credit)
`POST`	`/ai/integrity/compute`	Fraud / integrity score 0-100 (5 AI credits)
`POST`	`/ai/fraud/visual`	Visual fraud detection
`GET`	`/ai/review`	Admin review queue
`POST`	`/ai/feedback`	Submit extraction corrections
`POST`	`/knowledge/query`	Knowledge base query against 29K+ records

Note

All AI endpoints require JWT authentication. AI features are gated by server-side feature flags.

Key Management

All key-management endpoints require Supabase JWT authentication.

Method	Endpoint	Description
`POST`	`/keys`	Create a new API key (raw key returned once)
`GET`	`/keys`	List API keys (masked)
`PATCH`	`/keys/{keyId}`	Update key name or scopes
`DELETE`	`/keys/{keyId}`	Revoke an API key

Usage & Billing

GET /usage

Returns current-month API usage across all organization keys.

Rate Limits

Tier	Limit
Anonymous	100 req / min
API Key	1,000 req / min
Batch	10 req / min
Enterprise	Custom

Every response includes rate-limit headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset.
HTTP 429 is returned with a Retry-After header when the limit is exceeded.

Errors

All errors follow a consistent envelope:

json

{
  "error": "not_found",
  "message": "Credential with public ID ARK-2026-999 not found"
}

Status	Code	Meaning
400	`bad_request`	Invalid or missing parameters
401	`unauthorized`	Missing or invalid authentication
402	`payment_required`	Insufficient credits or no active plan
403	`forbidden`	Valid auth but insufficient permissions
404	`not_found`	Resource does not exist
409	`conflict`	Duplicate or state conflict
429	`rate_limited`	Too many requests — check Retry-After header
503	`service_unavailable`	Temporary outage — retry with back-off