Developer docs

Four verification endpoints over the same engine the site uses. Responses carry the findings JSON and a plain-language report. Results are evidence and classifications, never determinations of fraud, authenticity, or legal validity.

Files are analyzed in memory and never stored. Only derived findings JSON is kept, for 7 days, under the report token.

Authentication

Get a key at /api-access (self-serve, shown once). Send it as a Bearer token or an X-Api-Key header. Each key includes 100 free calls per month; calls beyond that bill at $0.05 per verification through Stripe. Cancel in the Stripe customer portal; canceling deactivates the key.

OpenAPI

The schema is served at https://api.docverdict.com/api/v1/openapi.json.

Endpoints

POST /api/v1/verify/pdf

Signature status, post-signing changes, metadata observations.

curl -X POST https://api.docverdict.com/api/v1/verify/pdf \
  -H "Authorization: Bearer dvk_..." \
  -F "file=@contract.pdf"

POST /api/v1/verify/photo

Camera metadata, edit traces, timestamp consistency (JPG, PNG, HEIC).

curl -X POST https://api.docverdict.com/api/v1/verify/photo \
  -H "Authorization: Bearer dvk_..." \
  -F "file=@receipt-photo.jpg"

POST /api/v1/verify/email

Sender alignment, authentication results, delivery route (.eml).

curl -X POST https://api.docverdict.com/api/v1/verify/email \
  -H "Authorization: Bearer dvk_..." \
  -F "file=@message.eml"

POST /api/v1/verify/compare

Whether one PDF derives from the other, and what changed.

curl -X POST https://api.docverdict.com/api/v1/verify/compare \
  -H "Authorization: Bearer dvk_..." \
  -F "file_a=@contract-v1.pdf" -F "file_b=@contract-v2.pdf"

Response shape

{
  "token": "…",          // report reference, valid 7 days
  "findings": { … },     // raw engine findings (hashes, records, classifications)
  "report": { … }        // the same two-section report the site renders
}

MCP server

The same four checks are exposed as MCP tools — verify_pdf, verify_photo, verify_email, and compare_pdfs — over the streamable HTTP transport. File arguments are base64-encoded; results carry the findings JSON and the report as structured content. Tool results are evidence and classifications, never fraud determinations, and the tool descriptions say so.

Endpoint:  https://api.docverdict.com/api/mcp
Auth:      Authorization: Bearer dvk_...   (same keys as the REST API)
Trial:     no key needed for 3 calls per day per address

Example client config (Claude Code, Cursor, or any MCP-capable agent):

{
  "mcpServers": {
    "docverdict": {
      "type": "http",
      "url": "https://api.docverdict.com/api/mcp",
      "headers": { "Authorization": "Bearer dvk_..." }
    }
  }
}

Verification records

Every paid report carries a signed verification record: canonical JSON with the findings hash, file fingerprints, tool and engine version, report language version, timestamp, and report token, signed with DocVerdict's Ed25519 product key. Download it from the report page or GET /report/{token}/artifact; check one at /v/{artifact_id}. The public key is published at /.well-known/docverdict-signing-key. The record attests that DocVerdict produced these findings for a file with this fingerprint at this time — nothing more.

Limits

25 MB per file, 500 pages per PDF, 60-second analysis timeout.
Per-key and per-IP daily rate limits apply; both reset at midnight UTC.
HTTP errors return {error, message} with conventional status codes.