OM OrigiMark
Certify now
Developers

API Reference

RESTful JSON over HTTPS. All endpoints under https://origimark.org/api/v1.

Authentication

Two methods. Pick one per request.

Bearer (Supabase JWT)

For end-user calls from your app. The Supabase access token from your signed-in session.

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

API key (server-to-server)

For backend integrations (planned: F2.8). Generated from your dashboard.

X-API-Key: om_live_...

Rate limits

  • · Anonymous: 10 / minute per IP
  • · Authenticated: 60 / minute per user
  • · API key (paid): 1000 / minute per key
  • · 429 response includes Retry-After header

POST /api/v1/certify

Issue a new certificate. The hash is computed client-side; the file never leaves the caller's environment.

curl -X POST https://origimark.org/api/v1/certify \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "hash": "<sha256 hex 64>",
    "title": "My Novel",
    "author_first_name": "Jane",
    "author_last_name": "Doe",
    "author_country": "si",
    "work_type": "text",
    "source_language": "en",
    "creation_date": "2026-04-15",
    "privacy_level": "public",
    "ownership_type": "sole"
  }'

Response includes cert_id, work_id, version, pdf_url, badge_url, qr_url, verify_url.

GET /api/v1/verify/[cert_id]

Public — fetch certificate metadata. Author identity is redacted when privacy_level != "public".

curl https://origimark.org/api/v1/verify/abc-123-def-456

POST /api/v1/verify-by-hash

Match a SHA-256 hash against the registry. Returns the matched cert_id if any.

curl -X POST https://origimark.org/api/v1/verify-by-hash \
  -H "Content-Type: application/json" \
  -d '{"hash":"<sha256 hex>"}'

GET /api/v1/registry

Browse the public registry. Supports filters.

  • · page (default 1)
  • · page_size (default 20, max 50)
  • · work_type (text, photograph, audio, video, code, blueprint, 3d, dataset, ai_prompt, composite, other)
  • · q — author name root
  • · date_from, date_to (YYYY-MM-DD)

GET /api/v1/chain/[work_id]

All versions of one work, ordered chronologically. Each node has its own cert_id.

GET /api/v1/me/certs

Your certificates. Requires authenticated bearer.

Webhooks

Subscribe to events on your account. POST to your URL, signed with HMAC-SHA256.

Events

  • · cert.created — new certificate (v1)
  • · version.added — new version on existing work
  • · cert.verified — someone verified your cert
  • · relay.message — anonymous message forwarded to you

Signature

OrigiMark-Timestamp: 1714568400
OrigiMark-Signature: v1=hex-hmac-sha256

# Verify (Python):
import hmac, hashlib
expected = hmac.new(secret.encode(), f"{ts}.".encode() + body, hashlib.sha256).hexdigest()

Subscribe

POST /api/v1/webhooks
{
  "url": "https://your-app.com/origimark/hook",
  "events": ["cert.created", "version.added"]
}
# Returns secret (whk_...) — store it

Cryptographic proof bundle

Court-grade self-contained ZIP. Verify offline with DigiCert root + Bitcoin client.

curl -O https://origimark.org/cert/<cert_id>/proof-bundle.zip

OpenAPI / machine-readable

Full OpenAPI 3 schema is published at /api/v1/openapi.json (proxied through nginx in F2.8) and via the /.well-known/origimark.json open spec.