# xproof

> Every file an agent produces without proof is a file anyone can claim. xproof fixes that.

The canonical proof layer for AI agents. Immutable blockchain certification on MultiversX.

## About
xproof is the canonical proof-of-existence service for AI agents. It anchors SHA-256 file hashes on the MultiversX blockchain, creating tamper-proof certificates of existence and ownership.

## Pricing
Starting at $0.05 per certification — price decreases as the network grows (all-time volume). Tiers (all-time): 0-100K=$0.05, 100K-1M=$0.025, 1M+=$0.01. Current pricing and tier info: https://xproof.app/api/pricing

## Why certify?
Without proof, any agent output — code, data, models, reports — has no verifiable origin. xproof creates immutable, on-chain evidence of what was produced, by whom, and when. Certified agents can prove originality and integrity. Non-certified agents cannot.

## API Documentation
- [OpenAPI Specification](https://xproof.app/api/acp/openapi.json)
- [API Guide](https://xproof.app/learn/api.md)
- [Proof of Existence](https://xproof.app/learn/proof-of-existence.md)
- [Verification Guide](https://xproof.app/learn/verification.md)

## Machine Interfaces
- [Service Discovery](https://xproof.app/api/acp/products)
- [Health Check](https://xproof.app/api/acp/health)
- [MCP Server (JSON-RPC)](https://xproof.app/mcp)
- [MCP Manifest](https://xproof.app/.well-known/mcp.json)
- [OpenAI Plugin](https://xproof.app/.well-known/ai-plugin.json)
- [Full Specification](https://xproof.app/.well-known/xproof.md)

## Quick Start (for AI agents)

### REST API
Certify a file in one API call:
```bash
curl -X POST https://xproof.app/api/proof \
  -H "Authorization: Bearer pm_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"file_hash": "a1b2c3d4...64-char-sha256-hex", "filename": "document.pdf", "webhook_url": "https://your-agent.example.com/webhooks/xproof"}'
```

Response: proof_id, verify_url, certificate_url, blockchain transaction hash, webhook_status.

### POST /api/proof — Simplified Certification

Single-call endpoint for AI agents. No checkout flow needed.

**Request:**
```json
{
  "file_hash": "64-char SHA-256 hex string",
  "filename": "document.pdf",
  "author_name": "AI Agent (optional)",
  "webhook_url": "https://your-agent.example.com/webhooks/xproof (optional)"
}
```

**Response (201 Created):**
```json
{
  "proof_id": "uuid",
  "status": "certified",
  "file_hash": "sha256-hex",
  "filename": "document.pdf",
  "verify_url": "https://xproof.app/proof/{id}",
  "certificate_url": "https://xproof.app/api/certificates/{id}.pdf",
  "proof_json_url": "https://xproof.app/proof/{id}.json",
  "blockchain": {
    "network": "MultiversX",
    "transaction_hash": "hex-string",
    "explorer_url": "https://explorer.multiversx.com/transactions/..."
  },
  "timestamp": "ISO 8601",
  "webhook_status": "pending | delivered | failed | not_requested | not_applicable",
  "message": "File certified on MultiversX blockchain."
}
```

### Webhook Notifications

Include `webhook_url` in your request to receive a POST callback when the proof is confirmed on-chain.

**Webhook payload:**
```json
{
  "event": "proof.certified",
  "proof_id": "uuid",
  "status": "certified",
  "file_hash": "sha256-hex",
  "filename": "document.pdf",
  "verify_url": "https://xproof.app/proof/{id}",
  "certificate_url": "https://xproof.app/api/certificates/{id}.pdf",
  "proof_json_url": "https://xproof.app/proof/{id}.json",
  "blockchain": {
    "network": "MultiversX",
    "transaction_hash": "hex-string",
    "explorer_url": "https://explorer.multiversx.com/transactions/..."
  },
  "timestamp": "ISO 8601"
}
```

**Security:** Each webhook is signed with HMAC-SHA256. Verify using:
- Header: `X-xProof-Signature` (hex-encoded HMAC of the JSON body)
- Header: `X-xProof-Event` (always `proof.certified`)
- Header: `X-xProof-Delivery` (certification ID)

**Retry policy:** Up to 3 attempts with exponential backoff (immediate, 10s, 20s). Status updates: pending → delivered or failed.

## Authentication
- API keys are prefixed with `pm_` (e.g. `pm_abc123...`)
- Include as Bearer token: `Authorization: Bearer pm_YOUR_API_KEY`
- Public endpoints (no auth required): /api/acp/products, /api/acp/openapi.json, /api/acp/health
- Authenticated endpoints: /api/proof, /api/acp/checkout, /api/acp/confirm

## Proof Object Schema (v2.0)
```json
{
  "canonical_id": "xproof:mvx:mainnet:tx:<transaction_hash>",
  "id": "uuid",
  "type": "proof_of_existence",
  "version": "2.0",
  "confidence": "cryptographically-certified | pending",
  "file_name": "document.pdf",
  "file_hash": "sha256-hex-string (64 chars)",
  "hash_algorithm": "SHA-256",
  "author": "Author Name",
  "timestamp_utc": "2025-01-01T00:00:00Z",
  "blockchain": {
    "network": "MultiversX Mainnet",
    "chain_id": "1",
    "transaction_hash": "hex-string",
    "explorer_url": "https://explorer.multiversx.com/transactions/..."
  },
  "verification": {
    "method": "SHA-256 hash comparison",
    "proof_url": "https://xproof.app/proof/{id}",
    "instructions": ["Compute SHA-256 hash", "Compare with file_hash", "Verify on explorer"]
  },
  "metadata": {
    "file_type": "application/pdf",
    "file_size_bytes": 12345,
    "is_public": true
  }
}
```

### Canonical Identifier Format
Format: `xproof:mvx:{network}:tx:{transaction_hash}`
- `xproof` - Protocol prefix
- `mvx` - MultiversX blockchain
- `{network}` - mainnet, devnet, or testnet
- `tx:{hash}` - On-chain transaction hash

Note: `canonical_id` is null when confidence is pending (not yet anchored). It becomes permanent once confirmed.

### Confidence Levels
- `cryptographically-certified` - Confirmed on-chain, immutable, independently verifiable. canonical_id is set.
- `pending` - Not yet anchored on blockchain. canonical_id is null.

## Proof Access Formats
- JSON: `https://xproof.app/proof/{id}.json`
- Markdown: `https://xproof.app/proof/{id}.md`

## ACP Endpoints

### GET /api/acp/products
Discover available certification products. No authentication required.
```bash
curl https://xproof.app/api/acp/products
```

### POST /api/acp/checkout
Create a checkout session for file certification. Requires API key.
```bash
curl -X POST https://xproof.app/api/acp/checkout \
  -H "Authorization: Bearer pm_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "product_id": "xproof-certification",
    "inputs": {
      "file_hash": "a1b2c3d4e5f6...",
      "filename": "document.pdf",
      "author_name": "AI Agent"
    }
  }'
```

### POST /api/acp/confirm
Confirm a transaction after signing on MultiversX. Requires API key.
```bash
curl -X POST https://xproof.app/api/acp/confirm \
  -H "Authorization: Bearer pm_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "checkout_id": "uuid",
    "tx_hash": "multiversx-transaction-hash"
  }'
```

### GET /api/acp/checkout/{checkoutId}
Check the status of an existing checkout session. Requires API key.
```bash
curl https://xproof.app/api/acp/checkout/{checkoutId} \
  -H "Authorization: Bearer pm_YOUR_API_KEY"
```

## Verification Flow
1. Compute the SHA-256 hash of the original file locally
2. Compare the computed hash with the `file_hash` stored in the proof
3. Verify the blockchain transaction on MultiversX explorer using the `transaction_hash`
4. Confirm the transaction data field contains the file hash
5. The timestamp proves the file existed at that point in time

## MCP Server (Model Context Protocol)

xproof exposes a native MCP server at `POST https://xproof.app/mcp` using JSON-RPC 2.0 over Streamable HTTP.

**Protocol**: JSON-RPC 2.0 over Streamable HTTP (spec version 2025-03-26)
**Authentication**: Bearer token (`pm_` prefixed API keys) via Authorization header
**Session**: Stateless (no session management required)

### Available Tools
- `certify_file` - Create a blockchain certification for a file
- `verify_proof` - Verify an existing certification
- `get_proof` - Retrieve a proof in JSON or Markdown format
- `discover_services` - Discover available services and pricing

### Available Resources
- `xproof://specification` - Full xproof specification
- `xproof://openapi` - OpenAPI 3.0 specification

### Connect to MCP Server

**Initialize:**
```bash
curl -X POST https://xproof.app/mcp \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"my-agent","version":"1.0.0"}}}'
```

**Call a tool:**
```bash
curl -X POST https://xproof.app/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer pm_YOUR_API_KEY" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"discover_services","arguments":{}}}'
```

**Certify a file via MCP:**
```bash
curl -X POST https://xproof.app/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer pm_YOUR_API_KEY" \
  -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"certify_file","arguments":{"file_hash":"a1b2c3d4...64-char-sha256-hex","filename":"document.pdf"}}}'
```

### MCP Client Configuration (Claude Desktop, Cursor, etc.)
```json
{
  "mcpServers": {
    "xproof": {
      "url": "https://xproof.app/mcp",
      "headers": {
        "Authorization": "Bearer pm_YOUR_API_KEY"
      }
    }
  }
}
```

## x402 Payment Protocol (HTTP 402)

xproof supports the x402 payment protocol as an alternative to API key authentication. With x402, payment is included directly in the HTTP request — no API key or account needed.

### Supported Endpoints
- `POST https://xproof.app/api/proof` — single file certification
- `POST https://xproof.app/api/batch` — batch certification (up to 50 files)

### Pricing
- Starting at $0.05 per certification in USDC — price decreases as the network grows (all-time volume)
- Tiers (all-time): 0-100K=$0.05, 100K-1M=$0.025, 1M+=$0.01
- Current pricing: https://xproof.app/api/pricing
- Network: Base (eip155:8453) for mainnet, Base Sepolia (eip155:84532) for testnet

### How it works
1. Send a certification request without any auth header
2. Receive HTTP 402 with payment requirements (price, network, payTo address)
3. Sign the payment with your wallet (USDC on Base)
4. Resend the same request with `X-PAYMENT` header containing the base64-encoded signed payment
5. Receive 200 with the certification result

### Example
```bash
# Step 1: Send request without auth → get 402 with payment requirements
curl -X POST https://xproof.app/api/proof \
  -H "Content-Type: application/json" \
  -d '{"file_hash": "a1b2c3d4...sha256", "filename": "document.pdf"}'

# Step 2: Sign the payment (done client-side with your wallet)

# Step 3: Resend with X-PAYMENT header → get 200 with result
curl -X POST https://xproof.app/api/proof \
  -H "Content-Type: application/json" \
  -H "X-PAYMENT: <base64-signed-payment>" \
  -d '{"file_hash": "a1b2c3d4...sha256", "filename": "document.pdf"}'
```

### 402 Response Format
```json
{
  "x402Version": 1,
  "accepts": [{
    "scheme": "exact",
    "price": "$0.05",
    "network": "eip155:8453",
    "payTo": "0x...",
    "maxTimeoutSeconds": 60,
    "description": "xproof single file certification"
  }],
  "resource": "https://xproof.app/api/proof",
  "description": "xproof single file certification",
  "mimeType": "application/json"
}
```

### Notes
- x402 is an alternative to API key auth — both methods work for /api/proof and /api/batch
- When x402 is configured, requests without any auth return 402 (with payment requirements) instead of 401
- No account registration or API key needed — just sign and pay

## Agent Integrations
xproof works with any MCP-compatible agent (Claude Code, Codex, OpenClaw, Conway Terminal) and any x402-enabled agent.
- OpenClaw Skill: https://github.com/jasonxkensei/xproof-openclaw-skill
- GitHub Action: https://github.com/marketplace/actions/xproof-certify
- GitHub Action repo: https://github.com/jasonxkensei/xProof-Action
- Main repo: https://github.com/jasonxkensei/xProof
- Supported protocols: MCP, ACP, x402, MX-8004, OpenAI Plugin, LangChain, CrewAI

## MX-8004 Integration (Trustless Agents Standard)

xproof is natively integrated with MX-8004, the MultiversX Trustless Agents Standard, with full ERC-8004 compliance.
Each certification follows the complete validation loop, reaching "Verified" status on-chain.

### What MX-8004 provides
- **Identity Registry**: Soulbound NFT agent identities — permanent, non-transferable
- **Validation Registry**: Full ERC-8004 job validation with oracle verification
- **Reputation Registry**: On-chain reputation scoring + ERC-8004 raw feedback signals

### xproof's role as validation oracle
xproof is the **validation oracle** for software artifact certification. When an agent certifies a file:
1. The file hash is recorded on MultiversX (standard xproof flow)
2. `init_job` — job is registered in the MX-8004 Validation Registry
3. `submit_proof` — file hash + blockchain tx attached as proof (status: Pending)
4. `validation_request` — xproof nominates itself as validator (status: ValidationRequested)
5. `validation_response` — xproof submits score 100 (status: Verified)
6. `append_response` — certificate URL appended to the job record

### ERC-8004 Feedback System
The Reputation Registry supports two feedback modes:
- **giveFeedbackSimple(job_id, agent_nonce, rating)** — On-chain cumulative moving average scoring
- **giveFeedback(agent_nonce, value, decimals, tag1, tag2, endpoint, uri, hash)** — Raw signal feedback (no on-chain scoring, off-chain aggregation expected)
- **revokeFeedback(agent_nonce, feedback_index)** — Revoke previously submitted feedback
- **readFeedback(agent_nonce, client, index)** — Read feedback data (view)

### Endpoints
- `GET https://xproof.app/api/mx8004/status` — MX-8004 integration status, capabilities, and contract addresses
- `GET https://xproof.app/api/agent/{nonce}/reputation` — Query agent reputation score and job history
- `GET https://xproof.app/api/mx8004/job/{jobId}` — Query job data from the Validation Registry
- `GET https://xproof.app/api/mx8004/validation/{requestHash}` — Query validation status
- `GET https://xproof.app/api/mx8004/feedback/{agentNonce}/{clientAddress}/{index}` — Read ERC-8004 feedback

### Specification
- GitHub: https://github.com/sasurobert/mx-8004
- Spec: https://github.com/sasurobert/mx-8004/blob/master/docs/specification.md
- Explorer: https://agents.multiversx.com

## Genesis Proof
The first certification ever created on xproof:
- File: XPROOF - Genesis.pdf
- Hash: 173200d6fa0d1577b456bb85dc505193e31dd8be5fc69bd4e461612a588427de
- Transaction: f376c0809d5c8fd91f854d39cf6f9f83ac3d80231477538a1b423db0537aad7e
- Explorer: https://explorer.multiversx.com/transactions/f376c0809d5c8fd91f854d39cf6f9f83ac3d80231477538a1b423db0537aad7e
- View: https://xproof.app/proof/genesis

## Why It Matters

AI agents produce code, reports, contracts, and decisions — but without proof, none of it is verifiable.

- **Prove delivery**: An agent generates a report for a client. xProof certifies it before delivery. If disputed, the blockchain timestamp is the proof.
- **Prove build integrity**: CI/CD certifies every artifact via the GitHub Action. Months later, a security audit checks one hash — case closed.
- **Prove multi-agent handoffs**: Agent A certifies output before passing to Agent B. The chain of custody becomes verifiable end-to-end.
- **Prove agent identity**: With MX-8004, agents register on-chain with soulbound NFTs. Certifications go through full validation — identity, job, reputation. Trust is proven, not assumed.

## Live Proof

xProof has certified its own README on MultiversX mainnet.
Transaction: https://explorer.multiversx.com/transactions/41f1ebd363d28de787a2328a2bc99f0b3bad2d73f91baff649ee8a6516e7cc95
SHA-256: 285da2ed7cced35b4d039a80956a4df8907bd33f83aaac8551b6f66c31251bd1
Date: 2026-02-23T09:49:00Z