Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.trulayer.ai/llms.txt

Use this file to discover all available pages before exploring further.

TruLayer writes a daily head-hash anchor for every tenant’s audit log. The manifest itself is stored in S3 Object Lock (WORM) and signed with an Ed25519 key; GET /v1/audit/verify returns a Postgres mirror of that anchor so third-party auditors can cross-check without pulling the S3 artifact on every query.

Endpoint — GET /v1/audit/verify

Unauthenticated by design — anchors are public evidence. 
curl -G https://api.trulayer.ai/v1/audit/verify \
  --data-urlencode "tenant_id=$TENANT_ID" \
  --data-urlencode "date=2026-04-23"
Response: 
{
  "tenant_id": "1f3b...",
  "date": "2026-04-23",
  "head_hash": "a7c4...",
  "manifest_url": "https://s3.amazonaws.com/trulayer-audit-anchors/1f3b/2026-04-23.json",
  "signature": "base64(ed25519-signature)",
  "public_key": "base64(ed25519-pubkey)"
}

Supplying an expected hash

Pass expected_head_hash=<hex> to receive a hash_matches: bool field alongside the anchor — saves a round-trip in automated checks. 
curl -G https://api.trulayer.ai/v1/audit/verify \
  --data-urlencode "tenant_id=$TENANT_ID" \
  --data-urlencode "date=2026-04-23" \
  --data-urlencode "expected_head_hash=a7c4..."

Verification recipe

  1. Fetch the anchor for a day.
  2. Download the S3 manifest at manifest_url.
  3. Verify the Ed25519 signature over the manifest JSON using the published public_key.
  4. Compute the Merkle head of your local copy of the audit log for that day and compare against head_hash.
Any mismatch indicates tampering — either of the local log or of the mirror. Because the manifest is WORM, TruLayer cannot alter it after the fact.

See also