Skip to main content
POST
/
verify
Verify an Execution Trust Record
curl --request POST \
  --url http://localhost:3000/verify \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "businessTransactionId": "44b34a79-e0f2-49d7-a48e-e52fff88182e"
}
'
import requests

url = "http://localhost:3000/verify"

payload = { "businessTransactionId": "44b34a79-e0f2-49d7-a48e-e52fff88182e" }
headers = {
"Authorization": "Bearer <token>",
"Content-Type": "application/json"
}

response = requests.post(url, json=payload, headers=headers)

print(response.text)
const options = {
method: 'POST',
headers: {Authorization: 'Bearer <token>', 'Content-Type': 'application/json'},
body: JSON.stringify({businessTransactionId: '44b34a79-e0f2-49d7-a48e-e52fff88182e'})
};

fetch('http://localhost:3000/verify', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));
<?php

$curl = curl_init();

curl_setopt_array($curl, [
CURLOPT_PORT => "3000",
CURLOPT_URL => "http://localhost:3000/verify",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => json_encode([
'businessTransactionId' => '44b34a79-e0f2-49d7-a48e-e52fff88182e'
]),
CURLOPT_HTTPHEADER => [
"Authorization: Bearer <token>",
"Content-Type: application/json"
],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
package main

import (
"fmt"
"strings"
"net/http"
"io"
)

func main() {

url := "http://localhost:3000/verify"

payload := strings.NewReader("{\n \"businessTransactionId\": \"44b34a79-e0f2-49d7-a48e-e52fff88182e\"\n}")

req, _ := http.NewRequest("POST", url, payload)

req.Header.Add("Authorization", "Bearer <token>")
req.Header.Add("Content-Type", "application/json")

res, _ := http.DefaultClient.Do(req)

defer res.Body.Close()
body, _ := io.ReadAll(res.Body)

fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("http://localhost:3000/verify")
.header("Authorization", "Bearer <token>")
.header("Content-Type", "application/json")
.body("{\n \"businessTransactionId\": \"44b34a79-e0f2-49d7-a48e-e52fff88182e\"\n}")
.asString();
require 'uri'
require 'net/http'

url = URI("http://localhost:3000/verify")

http = Net::HTTP.new(url.host, url.port)

request = Net::HTTP::Post.new(url)
request["Authorization"] = 'Bearer <token>'
request["Content-Type"] = 'application/json'
request.body = "{\n \"businessTransactionId\": \"44b34a79-e0f2-49d7-a48e-e52fff88182e\"\n}"

response = http.request(request)
puts response.read_body
{
  "verificationId": "63aac300-e0a8-47e9-9bb1-fd4b7d6cfdce",
  "businessTransactionId": "44b34a79-e0f2-49d7-a48e-e52fff88182e",
  "status": "VERIFIED",
  "message": "Execution Trust Record verified successfully.",
  "verifiedAt": "2026-07-13T17:42:11.002Z",
  "trustRecordHash": "e20a8861864f1a0a6c5fe00e64abca04de18a7d165a82ef9d7beb458c2096b3f"
}
{
"error": "businessTransactionId must be a valid UUID."
}
{
"error": "authentication required"
}
{
"error": "Execution Trust Record not found.",
"code": "VERIFICATION_FAILED"
}

Authorizations

Authorization
string
header
required

Caller API key issued by scripts/generate-api-key.ts. Sent as Authorization: Bearer . Verified against a stored SHA-256 hash in constant time by packages/api/src/auth/StaticKeyAuthenticator.ts. Required on every route except GET /health. See /api-reference/authentication.

Body

application/json

Request payload for POST /verify. businessTransactionId is required and must be a valid UUID; both are rejected with a 400, with distinct messages depending on which check fails.

businessTransactionId
string<uuid>
required

Business Transaction to verify.

Response

Verification completed (status VERIFIED or FAILED, see the response schema; a 200 does not by itself mean verification succeeded).

Immutable result of verifying an entire Execution Trust Record: recomputed hash matches the stored hash, signature verifies, and every APPROVED Execution carries a non-empty authorizationId. All checks always run and are reported together in message; a failure in one does not skip the others.

verificationId
string
required

Unique Verification identifier.

businessTransactionId
string
required

Business Transaction being verified.

status
enum<string>
required

Verification result.

Available options:
VERIFIED,
FAILED
verifiedAt
string<date-time>
required

UTC timestamp when verification completed.

trustRecordHash
string
required

Hash of the verified Execution Trust Record, proving exactly which record was verified.

message
string

Human-readable verification summary: either the success message, or every failed check's message joined with "; ".