AgentPKI Provenance v0.1 · live demo

Sign content. Verify content. Walk the chain.

Drop or paste any bytes into the Sign panel — we mint a passport and sign a provenance manifest using the demo issuer's keys. Paste content + manifest into the Verify panel — the verifier confirms signature, content hash, and walks back through the passport to the issuer. Same protocol used by the SDK and CLI.

Spec: /spec/provenance-v0.1 · API: provenance.agentpki.dev

How content provenance works, step by step

Agent signs the content → manifest published → verifier hashes the content, checks the signature, walks the passport chain back to the issuer. Click Play.

📰
Scenario: Sarah Lin publishes an investigation on her Substack. Within hours, AI farms clone the piece and post it under fake bylines. AgentPKI Provenance is how readers, search engines, and courts can tell which is the original — in milliseconds.
✍️ Sarah Lin Substack writer issuer: substack.com 📄 article + manifest content_hash sha256-… Content-Provenance: v=1… 👤 Reader browser w/ AgentPKI ext or any C2PA viewer 🔐 provenance.agentpki.dev verify signature + content hash walks chain back to issuer 📁 issuer directory substack.com / .well-known verify pubkey + tier sign + attach published verify manifest resolve issuer pubkey + tier ✓ verified: Sarah, t=10:14am
Step 0 of 6
Ready to start.
Click Play to watch a published article get signed and verified end to end.

Why this matters

Today — no cryptographic attribution

  • Article gets cloned in hours; clones look identical to original
  • Search engines rank the most-shared version, often a clone
  • Sarah's name attached to AI-generated derivatives she never wrote
  • No defensible way to prove which is the original in court

With AgentPKI Provenance

  • Original is signed at publication time with Sarah's issuer key
  • Browser shows a verified badge; clones get "no provenance"
  • Search engines + AI Overviews surface the verified original
  • Court-grade evidence: signature is cryptographically bound to bytes
Both flows are running protocols you can verify today. The Verifier API is at verify.agentpki.dev; Provenance signing is at provenance.agentpki.dev. Spec versions: v0.3-intent, Provenance v0.1. Apache 2.0.

Sign

via demo issuer

Verify

live verifier round-trip