Skip to main content

GET /api/identity

Auth none · Rate limit standard tier · Cache public, max-age=60 · Source shared/api-core/src/routes/identity.ts

Returns the node's public verification identity. Anyone — a peer node, a CI job, a skeptic with curl — uses this to check the Ed25519 signature on any envelope or attestation this node has ever signed.

Why it matters

A signed compute envelope is only as trustworthy as the key that signed it. This endpoint publishes that key (raw 32-byte hex), the supersession history (each rotation record is signed by the key it supersedes, so the lineage is itself verifiable), and the registry_version — the content hash of the node's solver registry, i.e. its physics fingerprint.

Response

{
  "protocol": "ZeqIdentity",
  "alg": "ed25519",
  "public_key": "a1b2…64 hex chars…",
  "key_supersessions": [],
  "registry_version": "sha256:…",
  "zeqond": 2289340151,
  "verify": {
    "recipe": "signature = ed25519(sign_payload) where sign_payload is the canonical JSON (recursively key-sorted, no whitespace) of envelope.signed.claim. Verify with this public_key — no secrets required. Then re-derive the physics independently: COMPUTE-DETERMINISM.md §3, or run /verify-zeq-result.mjs.",
    "script": "/verify-zeq-result.mjs"
  }
}

Runnable example

curl -s https://zeqstate.com/api/identity | python3 -m json.tool

Then verify a real envelope offline with the script the response points at:

curl -fsSO https://zeqstate.com/verify-zeq-result.mjs
node verify-zeq-result.mjs envelope.json

Honest limits

  • Key↔origin binding is your job. The attestation and envelope formats are self-contained, but only you can confirm "this key belongs to zeqstate.com" — by fetching https://zeqstate.com/api/identity over TLS yourself. Don't trust a key a third party hands you.
  • The signature proves who signed and that nothing changed since signing — it does not prove the physics is right. For that, re-run the math: /api/attest or the offline script.

See also