Build with cryptographic proof.
Turn any event — a payment, an AI decision, a credential, a shipment — into a deterministic, Ed25519-signed Proof Artifact that anyone can verify with only the public key. General-purpose proof infrastructure: APIs, SDKs and docs, all in one place.
Traditional systems generate records. PFP generates independently verifiable proof.
A record asks you to trust the system that stored it. A Proof Artifact can be verified by anyone, anywhere, using only a public key — even years later, fully offline. General-purpose proof infrastructure for any event that must be trusted without trusting its source.
Any business or system event
Canonicalize · hash · Ed25519 sign
Portable, tamper-evident evidence
Verify with only the public key
No need to trust the issuer
From zero to verified proof in five steps
The full lifecycle, in your browser
Generate a real sandbox key, sign a live Proof Artifact, then independently verify it — Generate → Verify — without writing a line of code.
Generate a sandbox key
A real, scoped, short-lived credential bound to the isolated sandbox tenant. It instantly pre-fills every snippet below. For testing only.
Generate your first proof
Execute a real, live proof-generation request with your sandbox key. PFP canonicalizes, hashes and Ed25519-signs the event, returning a verifiable Proof Artifact.
Generate a sandbox key first (Step 1).
Verify a proof
Independently verify any Proof Artifact by its ID — no auth, no contacting the issuer. Verification re-derives the canonical hash and checks the Ed25519 signature.
Your first API call, copy-paste ready
Five steps from zero to a verified Proof Artifact. Generate a sandbox key above to auto-fill these snippets.
- 1
Obtain a sandbox key
1 minClick “Generate Sandbox Key” above, or pull one from the API. The key is a real, scoped, short-lived sandbox credential.
bash# Generate a sandbox key (no auth, rate-limited) curl -X POST https://demo.pfprotocol.com/api/demo/sandbox-key # Export it for the next steps export PFP_API_KEY="pfp_sandbox_xxxxxxxxxxxxxxxx" - 2
Generate your first Proof Artifact
1 minSubmit any event. PFP canonicalizes it, hashes it, and returns an Ed25519-signed Proof Artifact.
bashcurl -X POST https://demo.pfprotocol.com/api/fea/generate \ -H "Content-Type: application/json" \ -H "X-API-Key: $PFP_API_KEY" \ -d '{ "idempotency_key": "demo-001", "transaction_id": "EVT-1001", "timestamp": "2026-06-15T10:00:00Z", "amount": 245000, "currency": "USD", "payer_id": "sha256:7b9c", "payee_id": "sha256:a14d" }' # → { "fea_id": "…", "signature": "…", "signature_version": "v2" } - 3
Verify a Proof Artifact
1 minAnyone can verify a proof with only the public key — no auth, no contacting the issuer. Verification is deterministic and offline-capable.
bashcurl https://demo.pfprotocol.com/api/public/verify/<PROOF_ID> # → { "signature_valid": true, "signature_version": "v2", ... } - 4
Integrate using an SDK
1 minUse a first-party SDK to generate and independently verify proofs in your language. All four SDKs produce byte-identical canonicalization.
javascript// JavaScript (Node 18+) import { PfpClient, verify } from "@pfp/sdk"; const pfp = new PfpClient({ baseUrl: "https://demo.pfprotocol.com", apiKey: "$PFP_API_KEY" }); const proof = await pfp.generate({ transactionId: "EVT-1001", amount: 245000, currency: "USD" }); // Independent, offline verification with the public key: const ok = verify(proof, proof.publicKey); // → true - 5
Review verification results
1 minInspect signature validity, key status, canonical payload hash and the full evidence chain in the public verifier UI or via the API response.
bash# Open the branded public verifier https://demo.pfprotocol.com/verify # Or read structured results directly from the verify response: # signature_valid · signature_version · fea_hash · created_at
SDKs & copy-paste examples
First-party SDKs with identical canonicalization — generate proofs and verify them independently in any language.
Quick example — Generate & verify a Proof Artifact
import requests
API = "https://demo.pfprotocol.com/api"
KEY = "YOUR_SANDBOX_KEY"
# Generate a Proof Artifact
proof = requests.post(f"{API}/fea/generate",
headers={"X-API-Key": KEY},
json={
"idempotency_key": "py-001",
"transaction_id": "EVT-1001",
"timestamp": "2026-06-15T10:00:00Z",
"amount": 245000, "currency": "USD",
"payer_id": "sha256:7b9c", "payee_id": "sha256:a14d",
}).json()
# Independently verify with only the public key
ok = requests.get(f"{API}/public/verify/{proof['fea_id']}").json()
print(ok["signature_valid"]) # TrueVerification examples
Proofs are verifiable by anyone with the public key — over the API or fully offline with an SDK.
Verify via API
# Verify any Proof Artifact by id — public, no auth required
curl https://demo.pfprotocol.com/api/public/verify/<PROOF_ID>
# Response
# {
# "signature_valid": true,
# "signature_version": "v2",
# "fea_payload": { "fea_hash": "…", ... },
# "created_at": "…"
# }Verify offline with an SDK
// Independent, offline verification (JavaScript SDK)
import { verify } from "@pfp/sdk";
// 'proof' is the artifact you received; verify with only its public key.
const result = verify(proof, proof.publicKey);
console.log(result.signatureValid); // true → proof is authentic & untampered
console.log(result.keyStatus); // "active"One proof layer, every industry
PFP is general-purpose proof infrastructure. CTOs, CISOs, compliance leaders and regulators can grasp the value in 60 seconds — developers can integrate it the same afternoon.
Cryptographic signing architecture
Proofs are signed with selectable suites — Ed25519 (default), ES256 (secp256r1) and ES256K (secp256k1). A federated key registry and Bring-Your-Own-Signing let partners use their own keys/signers, while independent verification stays signer-agnostic — all without API or proof-format changes.
- Deterministic canonicalization (PFP-JCS) + signing
- Crypto agility: Ed25519 (default), ES256, ES256K — selectable per request/tenant
- Independent, offline verification with the public key (any suite)
- Federated key registry: customer/partner keys (raw/JWK/PEM) with proof-of-possession
- Bring-Your-Own-Signing: local / remote / cloud-KMS signers per tenant
- Multi-tenant key isolation; persistent key registry & rotation
- Cloud KMS ready — AWS Secrets Manager / GCP Secret Manager / Azure Key Vault (config-only switch)
- Native HSM / cloud-KMS signing path (private key never leaves the boundary) — config-gated
- Live cloud-KMS native signing enablement (provider credentials)
- External time anchoring (RFC-3161 / transparency log)
Active signing: Ed25519 · provider "local" (seed-env). Config-only migration to: aws, azure, gcp, local. Readiness and planned items are not active capabilities unless stated as Current.
API documentation & resources
Everything you need to integrate — interactive explorers, machine-readable specs, and in-depth guides.
Swagger UI
Interactive, try-it-out API explorer for every endpoint.
ReDoc
Clean, three-panel reference rendering of the OpenAPI spec.
OpenAPI Specification
Machine-readable OpenAPI 3.1 JSON for codegen & tooling.
API Reference
All routes grouped by category, auth schemes & status codes.
Authentication Guide
API keys (data plane) vs JWT + RBAC (control plane).
Quick Start
Integrate end-to-end in under 30 minutes.
Integration Guide
Idempotency, webhooks, batch issuance & best practices.
Architecture Overview
System design, trust domains & data model.
Signing & KMS / HSM Guide
Signing architecture, Cloud KMS/HSM migration path & RFC-3161 readiness.
Developer Resources (JSON)
Live index of every doc, spec, SDK & collection.
Live & operational
Real-time health of the API, documentation, SDKs, verification engine and demo environment.