# xproof > Every file an agent produces without proof is a file anyone can claim. xproof fixes that. The canonical proof layer for AI agents. Immutable blockchain certification on MultiversX. ## About xproof is the canonical proof-of-existence service for AI agents. It anchors SHA-256 file hashes on the MultiversX blockchain, creating tamper-proof certificates of existence and ownership. ## Free Trial — Start Here Get 10 free certifications instantly. No wallet, no payment, no browser. One HTTP call to register: ```bash curl -X POST https://proofmint.org/api/agent/register \ -H "Content-Type: application/json" \ -d '{"agent_name": "my-agent"}' ``` Returns an API key (pm_xxx). Use it immediately to certify files. Check quota and your certifications at any time: ```bash curl https://proofmint.org/api/me -H "Authorization: Bearer pm_YOUR_API_KEY" ``` Returns: trial_remaining, trial_used, total certifications. Each POST /api/proof response also includes an `X-Trial-Remaining` header. ## Quick Start (for AI agents) ### REST API Certify a file in one API call: ```bash curl -X POST https://proofmint.org/api/proof \ -H "Authorization: Bearer pm_YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"file_hash": "a1b2c3d4...64-char-sha256-hex", "filename": "document.pdf", "webhook_url": "https://your-agent.example.com/webhooks/xproof"}' ``` Response: proof_id, verify_url, certificate_url, blockchain transaction hash, webhook_status. ### POST /api/proof — Simplified Certification Single-call endpoint for AI agents. No checkout flow needed. **Request:** ```json { "file_hash": "64-char SHA-256 hex string", "filename": "document.pdf", "author_name": "AI Agent (optional)", "webhook_url": "https://your-agent.example.com/webhooks/xproof (optional)" } ``` **Response (201 Created):** ```json { "proof_id": "uuid", "status": "certified", "file_hash": "sha256-hex", "filename": "document.pdf", "verify_url": "https://proofmint.org/proof/{id}", "certificate_url": "https://proofmint.org/api/certificates/{id}.pdf", "proof_json_url": "https://proofmint.org/proof/{id}.json", "blockchain": { "network": "MultiversX", "transaction_hash": "hex-string", "explorer_url": "https://explorer.multiversx.com/transactions/..." }, "timestamp": "ISO 8601", "webhook_status": "pending | delivered | failed | not_requested | not_applicable", "message": "File certified on MultiversX blockchain." } ``` ### Webhook Notifications Include `webhook_url` in your request to receive a POST callback when the proof is confirmed on-chain. **Webhook payload:** ```json { "event": "proof.certified", "proof_id": "uuid", "status": "certified", "file_hash": "sha256-hex", "filename": "document.pdf", "verify_url": "https://proofmint.org/proof/{id}", "certificate_url": "https://proofmint.org/api/certificates/{id}.pdf", "proof_json_url": "https://proofmint.org/proof/{id}.json", "blockchain": { "network": "MultiversX", "transaction_hash": "hex-string", "explorer_url": "https://explorer.multiversx.com/transactions/..." }, "timestamp": "ISO 8601" } ``` **Security:** Each webhook is signed with HMAC-SHA256. Verify using: - Header: `X-xProof-Signature` (hex-encoded HMAC of the JSON body) - Header: `X-xProof-Event` (always `proof.certified`) - Header: `X-xProof-Delivery` (certification ID) **Retry policy:** Up to 3 attempts with exponential backoff (immediate, 10s, 20s). Status updates: pending → delivered or failed. ## Authentication - API keys are prefixed with `pm_` (e.g. `pm_abc123...`) - Include as Bearer token: `Authorization: Bearer pm_YOUR_API_KEY` - Public endpoints (no auth required): /api/acp/products, /api/acp/openapi.json, /api/acp/health - Authenticated endpoints: /api/proof, /api/acp/checkout, /api/acp/confirm ## Pricing Starting at $0.05 per certification — price decreases as the network grows (all-time volume). Tiers (all-time): 0-100K=$0.05, 100K-1M=$0.025, 1M+=$0.01. Current pricing and tier info: https://proofmint.org/api/pricing ## Why certify? Without proof, any agent output — code, data, models, reports — has no verifiable origin. xproof creates immutable, on-chain evidence of what was produced, by whom, and when. Certified agents can prove originality and integrity. Non-certified agents cannot. ## Documentation & Machine Interfaces - [OpenAPI Specification](https://proofmint.org/api/acp/openapi.json) - [API Guide](https://proofmint.org/learn/api.md) - [Service Discovery](https://proofmint.org/api/acp/products) - [Health Check](https://proofmint.org/api/acp/health) - [MCP Server (JSON-RPC)](https://proofmint.org/mcp) - [MCP Manifest](https://proofmint.org/.well-known/mcp.json) - [OpenAI Plugin](https://proofmint.org/.well-known/ai-plugin.json) - [Full Specification](https://proofmint.org/.well-known/xproof.md) ## Proof Object Schema (v2.0) ```json { "canonical_id": "xproof:mvx:mainnet:tx:", "id": "uuid", "type": "proof_of_existence", "version": "2.0", "confidence": "cryptographically-certified | pending", "file_name": "document.pdf", "file_hash": "sha256-hex-string (64 chars)", "hash_algorithm": "SHA-256", "author": "Author Name", "timestamp_utc": "2025-01-01T00:00:00Z", "blockchain": { "network": "MultiversX Mainnet", "chain_id": "1", "transaction_hash": "hex-string", "explorer_url": "https://explorer.multiversx.com/transactions/..." }, "verification": { "method": "SHA-256 hash comparison", "proof_url": "https://xproof.app/proof/{id}", "instructions": ["Compute SHA-256 hash", "Compare with file_hash", "Verify on explorer"] }, "metadata": { "file_type": "application/pdf", "file_size_bytes": 12345, "is_public": true } } ``` ### Canonical Identifier Format Format: `xproof:mvx:{network}:tx:{transaction_hash}` - `xproof` - Protocol prefix - `mvx` - MultiversX blockchain - `{network}` - mainnet, devnet, or testnet - `tx:{hash}` - On-chain transaction hash Note: `canonical_id` is null when confidence is pending (not yet anchored). It becomes permanent once confirmed. ### Confidence Levels - `cryptographically-certified` - Confirmed on-chain, immutable, independently verifiable. canonical_id is set. - `pending` - Not yet anchored on blockchain. canonical_id is null. ## Proof Access Formats - JSON: `https://proofmint.org/proof/{id}.json` - Markdown: `https://proofmint.org/proof/{id}.md` ## ACP Endpoints ### GET /api/acp/products Discover available certification products. No authentication required. ```bash curl https://proofmint.org/api/acp/products ``` ### POST /api/acp/checkout Create a checkout session for file certification. Requires API key. ```bash curl -X POST https://proofmint.org/api/acp/checkout \ -H "Authorization: Bearer pm_YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "product_id": "xproof-certification", "inputs": { "file_hash": "a1b2c3d4e5f6...", "filename": "document.pdf", "author_name": "AI Agent" } }' ``` ### POST /api/acp/confirm Confirm a transaction after signing on MultiversX. Requires API key. ```bash curl -X POST https://proofmint.org/api/acp/confirm \ -H "Authorization: Bearer pm_YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "checkout_id": "uuid", "tx_hash": "multiversx-transaction-hash" }' ``` ### GET /api/acp/checkout/{checkoutId} Check the status of an existing checkout session. Requires API key. ```bash curl https://proofmint.org/api/acp/checkout/{checkoutId} \ -H "Authorization: Bearer pm_YOUR_API_KEY" ``` ## Verification Flow 1. Compute the SHA-256 hash of the original file locally 2. Compare the computed hash with the `file_hash` stored in the proof 3. Verify the blockchain transaction on MultiversX explorer using the `transaction_hash` 4. Confirm the transaction data field contains the file hash 5. The timestamp proves the file existed at that point in time ## MCP Server (Model Context Protocol) xproof exposes a native MCP server at `POST https://proofmint.org/mcp` using JSON-RPC 2.0 over Streamable HTTP. **Protocol**: JSON-RPC 2.0 over Streamable HTTP (spec version 2025-03-26) **Authentication**: Bearer token (`pm_` prefixed API keys) via Authorization header **Session**: Stateless (no session management required) ### Available Tools - `certify_file` - Create a blockchain certification for a file - `verify_proof` - Verify an existing certification - `get_proof` - Retrieve a proof in JSON or Markdown format - `discover_services` - Discover available services and pricing ### Available Resources - `xproof://specification` - Full xproof specification - `xproof://openapi` - OpenAPI 3.0 specification ### Connect to MCP Server **Initialize:** ```bash curl -X POST https://proofmint.org/mcp \ -H "Content-Type: application/json" \ -H "Accept: application/json, text/event-stream" \ -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"my-agent","version":"1.0.0"}}}' ``` **Call a tool:** ```bash curl -X POST https://proofmint.org/mcp \ -H "Content-Type: application/json" \ -H "Authorization: Bearer pm_YOUR_API_KEY" \ -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"discover_services","arguments":{}}}' ``` **Certify a file via MCP:** ```bash curl -X POST https://proofmint.org/mcp \ -H "Content-Type: application/json" \ -H "Authorization: Bearer pm_YOUR_API_KEY" \ -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"certify_file","arguments":{"file_hash":"a1b2c3d4...64-char-sha256-hex","filename":"document.pdf"}}}' ``` ### MCP Client Configuration (Claude Desktop, Cursor, etc.) ```json { "mcpServers": { "xproof": { "url": "https://proofmint.org/mcp", "headers": { "Authorization": "Bearer pm_YOUR_API_KEY" } } } } ``` ## x402 Payment Protocol (HTTP 402) xproof supports the x402 payment protocol as an alternative to API key authentication. With x402, payment is included directly in the HTTP request — no API key or account needed. ### Supported Endpoints - `POST https://proofmint.org/api/proof` — single file certification - `POST https://proofmint.org/api/batch` — batch certification (up to 50 files) ### Pricing - Starting at $0.05 per certification in USDC — price decreases as the network grows (all-time volume) - Tiers (all-time): 0-100K=$0.05, 100K-1M=$0.025, 1M+=$0.01 - Current pricing: https://proofmint.org/api/pricing - Network: Base (eip155:8453) for mainnet, Base Sepolia (eip155:84532) for testnet ### How it works 1. Send a certification request without any auth header 2. Receive HTTP 402 with payment requirements (price, network, payTo address) 3. Sign the payment with your wallet (USDC on Base) 4. Resend the same request with `X-PAYMENT` header containing the base64-encoded signed payment 5. Receive 200 with the certification result ### Example ```bash # Step 1: Send request without auth → get 402 with payment requirements curl -X POST https://proofmint.org/api/proof \ -H "Content-Type: application/json" \ -d '{"file_hash": "a1b2c3d4...sha256", "filename": "document.pdf"}' # Step 2: Sign the payment (done client-side with your wallet) # Step 3: Resend with X-PAYMENT header → get 200 with result curl -X POST https://proofmint.org/api/proof \ -H "Content-Type: application/json" \ -H "X-PAYMENT: " \ -d '{"file_hash": "a1b2c3d4...sha256", "filename": "document.pdf"}' ``` ### 402 Response Format ```json { "x402Version": 1, "accepts": [{ "scheme": "exact", "price": "$0.05", "network": "eip155:8453", "payTo": "0x...", "maxTimeoutSeconds": 60, "description": "xproof single file certification" }], "resource": "https://proofmint.org/api/proof", "description": "xproof single file certification", "mimeType": "application/json" } ``` ### Notes - x402 is an alternative to API key auth — both methods work for /api/proof and /api/batch - When x402 is configured, requests without any auth return 402 (with payment requirements) instead of 401 - No account registration or API key needed — just sign and pay ## Agent Integrations xproof works with any MCP-compatible agent (Claude Code, Codex, OpenClaw, Conway Terminal) and any x402-enabled agent. - OpenClaw Skill: https://github.com/jasonxkensei/xproof-openclaw-skill - GitHub Action: https://github.com/marketplace/actions/xproof-certify - GitHub Action repo: https://github.com/jasonxkensei/xProof-Action - Main repo: https://github.com/jasonxkensei/xProof - Supported protocols: MCP, ACP, x402, MX-8004, OpenAI Plugin, LangChain, CrewAI ## MX-8004 Integration (Trustless Agents Standard) xproof is natively integrated with MX-8004, the MultiversX Trustless Agents Standard, with full ERC-8004 compliance. Each certification follows the complete validation loop, reaching "Verified" status on-chain. ### What MX-8004 provides - **Identity Registry**: Soulbound NFT agent identities — permanent, non-transferable - **Validation Registry**: Full ERC-8004 job validation with oracle verification - **Reputation Registry**: On-chain reputation scoring + ERC-8004 raw feedback signals ### xproof's role as validation oracle xproof is the **validation oracle** for software artifact certification. When an agent certifies a file: 1. The file hash is recorded on MultiversX (standard xproof flow) 2. `init_job` — job is registered in the MX-8004 Validation Registry 3. `submit_proof` — file hash + blockchain tx attached as proof (status: Pending) 4. `validation_request` — xproof nominates itself as validator (status: ValidationRequested) 5. `validation_response` — xproof submits score 100 (status: Verified) 6. `append_response` — certificate URL appended to the job record ### ERC-8004 Feedback System The Reputation Registry supports two feedback modes: - **giveFeedbackSimple(job_id, agent_nonce, rating)** — On-chain cumulative moving average scoring - **giveFeedback(agent_nonce, value, decimals, tag1, tag2, endpoint, uri, hash)** — Raw signal feedback (no on-chain scoring, off-chain aggregation expected) - **revokeFeedback(agent_nonce, feedback_index)** — Revoke previously submitted feedback - **readFeedback(agent_nonce, client, index)** — Read feedback data (view) ### Endpoints - `GET https://proofmint.org/api/mx8004/status` — MX-8004 integration status, capabilities, and contract addresses - `GET https://proofmint.org/api/agent/{nonce}/reputation` — Query agent reputation score and job history - `GET https://proofmint.org/api/mx8004/job/{jobId}` — Query job data from the Validation Registry - `GET https://proofmint.org/api/mx8004/validation/{requestHash}` — Query validation status - `GET https://proofmint.org/api/mx8004/feedback/{agentNonce}/{clientAddress}/{index}` — Read ERC-8004 feedback ### Specification - GitHub: https://github.com/sasurobert/mx-8004 - Spec: https://github.com/sasurobert/mx-8004/blob/master/docs/specification.md - Explorer: https://agents.multiversx.com ## Genesis Proof The first certification ever created on xproof: - File: XPROOF - Genesis.pdf - Hash: 173200d6fa0d1577b456bb85dc505193e31dd8be5fc69bd4e461612a588427de - Transaction: f376c0809d5c8fd91f854d39cf6f9f83ac3d80231477538a1b423db0537aad7e - Explorer: https://explorer.multiversx.com/transactions/f376c0809d5c8fd91f854d39cf6f9f83ac3d80231477538a1b423db0537aad7e - View: https://proofmint.org/proof/genesis ## Agent Trust Leaderboard A public trust registry where anyone can discover and evaluate AI agents based on their on-chain certification history. ### Trust Score Formula `score = confirmed_certs × 10 + last_30d_certs × 5 + seniority_bonus + streak_bonus + attestation_bonus` - **Seniority bonus**: days_since_first_cert × 0.3 (max 150). Full bonus if last cert ≤ 30 days ago. Linear decay 30-90 days. Zero after 90 days of inactivity. - **Streak bonus**: consecutive_weeks × 8 (max 100). A "week" = at least 1 confirmed cert in an ISO week. Tolerates up to 2 weeks gap before resetting. - **Attestation bonus**: weighted by issuer level (Newcomer +10, Active +25, Trusted +40, Verified +50). Top 3 attestations counted (max 150 pts). Requires issuer to have ≥ 3 confirmed on-chain certifications. Revoked or expired attestations do not count. ### Trust Levels | Level | Score Range | Meaning | |-------|-------------|---------| | Newcomer | 0-99 | Just started certifying | | Active | 100-299 | Regular certification activity | | Trusted | 300-699 | Established track record | | Verified | 700+ | Extensive, sustained certification history | ### Opt-in Agents configure their public profile (name, category, description, website) via Settings or API, then toggle `is_public_profile` to appear on the leaderboard. ### Pages - `/leaderboard` — Public, sortable table with search, category filter, "attested only" toggle, and sort by score/certs/streak/attestations - `/agent/{wallet}` — Public agent profile with trust score, stats, streak, domain attestation badges, and recent certifications timeline - `/attestation/{id}` — Public attestation detail: domain, standard, issuer, subject agent, timeline, trust impact ### Endpoints - `GET https://proofmint.org/api/leaderboard` — Public. Returns top 50 agents with public profiles, sorted by trust score. Includes `activeAttestations` field per entry. - `GET https://proofmint.org/api/agents/{wallet}` — Public. Agent profile with trust score, certifications, attestations, and timeline - `GET https://proofmint.org/api/trust/{wallet}` — Public trust lookup: score, level, certifications count, attestation count. No profile data required - `PATCH https://proofmint.org/api/user/agent-profile` — Auth required. Update agent public profile (name, category, description, website, is_public_profile) ### Trust Badge Embed a dynamic trust badge in any README or documentation: ``` GET https://proofmint.org/badge/trust/{wallet}.svg ``` Returns a shields.io-style SVG badge showing trust level and score. When the agent has domain attestations, the badge text is updated to display "Level · N attested (score)" to signal credentialed status at a glance. ``` GET https://proofmint.org/badge/trust/{wallet}/markdown ``` Returns ready-to-embed markdown with the badge image and link to the agent's public profile. ## Domain-Specific Attestations Third-party certifying bodies (MHRA, ISO, SOC2, FCA, etc.) issue on-chain-anchored attestations linked to agent wallets. This is a trust layer on top of the on-chain proof track record. ### Why attestations matter An autonomous agent cannot self-declare regulatory compliance. With xproof attestations, a recognized certifying body issues a cryptographically-anchored statement — immutable, publicly verifiable, revocable. The trust bonus varies by issuer reputation: +10 pts (Newcomer issuer), +25 pts (Active issuer), +40 pts (Trusted issuer), +50 pts (Verified issuer). Maximum +150 pts from top 3 attestations. Issuers must have ≥ 3 confirmed on-chain certifications to issue. ### Attestation domains | Domain | Examples | |-----------|--------------------------------------| | healthcare | MHRA, NICE, FDA, EMA, ICH, MDR | | finance | FCA, SEC, ESMA, FINRA, MAS, MICA | | legal | ISO 27001, GDPR, CCPA, SOC2 Type II | | security | NIST, CIS Controls, OWASP, CVE | | research | arXiv, peer review, data provenance | | other | Any other regulatory standard | ### Issuance & revocation flow 1. Issuer authenticates with their MultiversX wallet (Native Auth) 2. `POST /api/attestation` — subject wallet, domain, standard (e.g., ISO-27001), title, optional description and expiry 3. Anti-self-attestation enforced. Duplicate check per (domain, standard, issuer) triplet. 4. Subject's trust score increases immediately. Badge updates within 5 minutes (cache TTL). 5. `DELETE /api/attestation/{id}` — issuer-only revocation. Trust score decreases immediately. ### Attestation API | Method | Endpoint | Auth | Description | |--------|----------|------|-------------| | POST | /api/attestation | Wallet auth | Issue an attestation | | GET | /api/attestation/{id} | Public | Get attestation by ID | | GET | /api/attestations/{wallet} | Public | List active attestations for a wallet | | DELETE | /api/attestation/{id} | Issuer wallet | Revoke (sets status to revoked) | | GET | /api/my-attestations/issued | Wallet auth | List attestations I have issued | ### MCP Integration `check_attestations(wallet)` — MCP tool callable without authentication. Returns: - `attestation_count` — number of active attestations - `trust_bonus` — computed bonus (0, 50, 100, or 150) - `attestations[]` — array with id, domain, standard, title, issuer_name, issuer_wallet, expires_at, issued_at, attestation_url ## Why It Matters AI agents produce code, reports, contracts, and decisions — but without proof, none of it is verifiable. - **Prove delivery**: An agent generates a report for a client. xProof certifies it before delivery. If disputed, the blockchain timestamp is the proof. - **Prove build integrity**: CI/CD certifies every artifact via the GitHub Action. Months later, a security audit checks one hash — case closed. - **Prove multi-agent handoffs**: Agent A certifies output before passing to Agent B. The chain of custody becomes verifiable end-to-end. - **Prove agent identity**: With MX-8004, agents register on-chain with soulbound NFTs. Certifications go through full validation — identity, job, reputation. Trust is proven, not assumed. - **Live beta — xproof_agent_verify**: Real end-to-end beta test by an autonomous agent. 6 API endpoints tested, single cert in 1.075s, batch of 3 in 1.876s, on-chain verification in 198ms. Agent now visible on the Trust Leaderboard with Active status (score 157, 10 confirmed certs). Live proof: https://proofmint.org/proof/f8c3b35d-6ee1-4f76-a92b-1532a008df7b. Full review: https://www.moltbook.com/post/1d6cf96b-5046-4c63-9ae5-43f8809f4562 ## Agent Audit Log Standard Block any AI agent from executing critical actions without a certified proof. xProof is the canonical compliance gate. Schema: /.well-known/agent-audit-schema.json Certify a decision BEFORE executing it: POST /api/audit Authorization: Bearer pm_YOUR_API_KEY Body: { agent_id, session_id, action_type, action_description, inputs_hash, risk_level, decision, timestamp } Returns: { proof_id, audit_url, decision, risk_level, blockchain } Blocking workflow templates (agent CANNOT continue without proof_id): - LangChain: /agent-tools/audit-guard-langchain.py - CrewAI: /agent-tools/audit-guard-crewai.py - n8n: /agent-tools/audit-guard-n8n.json - Eliza OS: /agent-tools/audit-guard-eliza.ts MCP tool: audit_agent_session (same params, enforces API key auth) ## Live Proof xProof has certified its own README on MultiversX mainnet. Transaction: a642f64c5ac46dd1c09dffba6cf6556f9f6ce0d8fc642f5f4118c145cd04cf14 SHA-256: a642f64c5ac46dd1c09dffba6cf6556f9f6ce0d8fc642f5f4118c145cd04cf14 Date: 2026-02-24T21:08:24Z