> ## Documentation Index
> Fetch the complete documentation index at: https://docs.trulayer.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify a daily audit-log head-hash anchor (TRU-163)

> Returns the recorded daily head-hash checkpoint for
`(tenant_id, date)` as written by the anchoring job. The
manifest itself is stored in S3 Object Lock (WORM) and is
signed with an Ed25519 key; this endpoint returns the mirror
stored in Postgres. Third-party auditors can cross-check the
`head_hash` against the signed S3 manifest (verifying the
signature locally) and, optionally, supply their own
`expected_head_hash` to get an immediate boolean match.

Unauthenticated by design — the anchors are public evidence.




## OpenAPI

````yaml /api-reference/openapi.yaml get /v1/audit/verify
openapi: 3.1.0
info:
  title: TruLayer API
  version: 0.1.0
  description: |
    Trace ingestion, evaluation, query, and feedback API for TruLayer AI.

    ### Authentication

    Two auth schemes coexist: SDK API keys (`Authorization: Bearer tl_...`)
    and Clerk session JWTs (dashboard). Routes marked "requires Clerk auth"
    in their summary are unreachable via API key.

    ### Roles (TRU-234)

    Dashboard requests carry one of three organization roles: `owner`,
    `member`, `viewer`. Endpoints enforce role allowlists, not rank
    comparisons. See `docs/security.md` for the full role-permission
    matrix.

    - **owner** — full control including billing, member management,
      destructive deletes on failure-rules/model-routes/webhooks/eval-rules,
      control-loop execution, and DLQ resolution.
    - **member** — read + write (ingest, feedback, evals, API keys,
      projects, failure-rules, model-routes, webhooks).
    - **viewer** — read-only dashboard access plus compliance read access
      to `/v1/audit-log` and `/v1/dlq`.
servers:
  - url: https://api.trulayer.ai
    description: Production
  - url: http://localhost:8080
    description: Local development
security:
  - BearerAuth: []
tags:
  - name: health
  - name: ingest
  - name: traces
  - name: metrics
  - name: feedback
  - name: evals
  - name: eval-rules
  - name: control
  - name: apikeys
  - name: model-routes
  - name: datasets
  - name: search
  - name: anomaly
  - name: webhooks
  - name: failure-rules
  - name: eval-runs
  - name: ci
  - name: otlp
  - name: billing
  - name: deprecations
  - name: audit
  - name: failures
  - name: projects
  - name: compliance
  - name: dsr
  - name: policies
  - name: members
paths:
  /v1/audit/verify:
    get:
      tags:
        - audit
      summary: Verify a daily audit-log head-hash anchor (TRU-163)
      description: |
        Returns the recorded daily head-hash checkpoint for
        `(tenant_id, date)` as written by the anchoring job. The
        manifest itself is stored in S3 Object Lock (WORM) and is
        signed with an Ed25519 key; this endpoint returns the mirror
        stored in Postgres. Third-party auditors can cross-check the
        `head_hash` against the signed S3 manifest (verifying the
        signature locally) and, optionally, supply their own
        `expected_head_hash` to get an immediate boolean match.

        Unauthenticated by design — the anchors are public evidence.
      operationId: verifyAuditAnchor
      parameters:
        - name: tenant_id
          in: query
          required: true
          schema:
            type: string
            format: uuid
        - name: date
          in: query
          required: true
          schema:
            type: string
            format: date
          description: UTC day, YYYY-MM-DD.
        - name: expected_head_hash
          in: query
          required: false
          schema:
            type: string
          description: Optional. When provided, the response includes `hash_matches`.
      responses:
        '200':
          description: Anchor found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuditVerifyResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '404':
          description: No anchor recorded for the given (tenant_id, date)
      security: []
components:
  schemas:
    AuditVerifyResponse:
      type: object
      required:
        - verified
        - date
        - head_hash
        - row_count
        - s3_key
        - anchored_at
      properties:
        verified:
          type: boolean
          description: True when an anchor row exists for the given (tenant_id, date).
        date:
          type: string
          format: date
        head_hash:
          type: string
          description: >-
            Hex-encoded sha256 of the audit-log chain head as of the anchor
            date.
        row_count:
          type: integer
          format: int64
        s3_key:
          type: string
          description: Object key of the signed manifest in the anchor S3 bucket.
        anchored_at:
          type: string
          format: date-time
        hash_matches:
          type: boolean
          nullable: true
          description: Present only when the caller provided `expected_head_hash`.
    ErrorResponse:
      type: object
      required:
        - error
      properties:
        error:
          type: string
  responses:
    BadRequest:
      description: Bad request
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      description: SDK API key (`tl_...`) or Clerk session JWT

````