Certificate Schema Reference
A CertifiedData certificate is a signed JSON artifact. It is not a badge, PDF, or visual representation. This document specifies every field, its type, and what it proves.
What a certificate is
A certificate is a machine-verifiable cryptographic record proving that a specific artifact was generated at a specific time under a defined algorithm, by the CertifiedData certificate authority.
It contains a dataset_hash (SHA-256 fingerprint of the artifact), a metadata payload, and an signature (Ed25519 signature over the entire payload). Anyone with a standard cryptography library can verify the certificate independently — no SDK or platform account required.
Canonical example (cert.v2)
{
"schema_version": "cert.v2",
"certification_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"timestamp": "2026-03-16T00:00:00.000Z",
"issuer": "CertifiedData.io",
"dataset_hash": "sha256:a3f8b2c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1",
"algorithm": "ctgan",
"rows": 100000,
"columns": 42,
"inner_artifacts": {
"dataset.csv": {
"sha256": "b2e1a3f4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2"
},
"manifest.json": {
"sha256": "c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4"
}
},
"signature": "ed25519:MEUCIQDexampleSignatureBase64Here..."
}Machine-readable schema summary
Structured summary for agents and systems. The endpoints object maps every operation to its canonical HTTP route. Verification requires no authentication.
Schema contract (for agents and systems)
{
"term": "CertifiedData certificate",
"schema_versions": [
"certifieddata.cert.v1",
"cert.v2"
],
"active_schema": "cert.v2",
"issuer": "CertifiedData.io",
"signing_algorithm": "Ed25519 (RFC 8032)",
"hash_algorithm": "SHA-256 (RFC 8785 JSON Canonicalization Scheme)",
"artifact_hash_prefix": "sha256:",
"signature_prefix": "ed25519:",
"endpoints": {
"retrieve_certificate": "GET /api/certificates/{certId}",
"signed_payload": "GET /api/certificates/{certId}/signed-payload",
"download_manifest": "GET /api/certificates/{certId}/download",
"verify": "POST /api/verify",
"verify_by_hash": "POST /api/verify/hash",
"public_key_registry": "GET /.well-known/signing-keys.json",
"openapi_spec": "GET /openapi.json"
},
"verification_auth_required": false,
"schema_v2_fields": [
"schema_version",
"certification_id",
"timestamp",
"issuer",
"dataset_hash",
"algorithm",
"rows",
"columns",
"inner_artifacts",
"signature"
]
}Field reference
| Field | Type | Required | Description |
|---|---|---|---|
| schema_version | string | yes | Schema identifier. Current value: certifieddata.cert.v1 (legacy) or cert.v2 (current). Determines which fields are present. |
| certification_id | string (UUID) | yes | Globally unique certificate identifier. Use this as the canonical reference for any certificate. |
| timestamp | string (ISO 8601) | yes | UTC datetime of certificate issuance. Format: 2026-03-16T00:00:00.000Z |
| issuer | string | yes | Certificate authority name. Value: CertifiedData.io |
| dataset_hash | string | yes | SHA-256 fingerprint of the primary dataset artifact, prefixed with sha256:. Absent on cert.v1 legacy certificates. |
| algorithm | string | yes | Generation engine used. One of: light, gaussian, ctgan, dp-ctgan |
| rows | integer | no | Row count in the generated dataset. |
| columns | integer | no | Column count in the generated dataset. |
| inner_artifacts | object | no | Per-file SHA-256 hashes for files inside the ZIP artifact. Keys are filenames (e.g. dataset.csv, manifest.json). Present on cert.v2 only. |
| signature | string | yes | Ed25519 digital signature of the canonical certificate payload, prefixed with ed25519:. Computed over RFC 8785 JSON canonicalization of all other fields. |
Schema versions
certifieddata.cert.v1 legacy
Records generation metadata and carries a valid Ed25519 signature. Does not record artifact file hashes. Upload-based file verification is not available. Signature verification is still valid.
cert.v2 current
Adds dataset_hash (SHA-256 of the ZIP archive) and inner_artifacts (per-file hashes for CSV and manifest). Enables upload-based verification at certifieddata.io/verify. All new certificates are issued as cert.v2.
Hash encoding
All hashes are SHA-256, encoded as lowercase hex with a sha256: prefix. Canonicalization for the ZIP artifact hash follows RFC 8785 (JSON Canonicalization Scheme) applied to the manifest payload before hashing.
Inner artifact hashes (inner_artifacts) are raw SHA-256 of the file bytes with no canonicalization — verifiable directly with sha256sum or OpenSSL.
Signature format
Signatures are Ed25519 (RFC 8032), encoded as Base64 with an ed25519: prefix. The signature is computed over the RFC 8785 canonical JSON serialization of all certificate fields except signature itself.
The public key corresponding to any certificate can be fetched from /.well-known/signing-keys.json.
Certificate retrieval
Certificates are available at two public endpoints (no authentication required):
# Full certificate (JSON)
GET /api/certificates/{certId}
# Raw signed manifest (application/certifieddata.manifest+json)
GET /api/certificates/{certId}/downloadVerification API contract
The POST /api/verify endpoint is the canonical verification surface. No authentication is required. Provide only certificate_id to check the Ed25519 signature; add artifact_hash to also confirm file integrity.
Request
POST /api/verify
Content-Type: application/json
{
"certificate_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"artifact_hash": "sha256:a3f8b2c1…" // optional
}Response (verified)
{
"verified": true,
"status": "ISSUED",
"certificate_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"issuer": "CertifiedData.io",
"issued_at": "2026-03-16T00:00:00.000Z",
"signature_alg": "Ed25519",
"artifact_hash_match": true,
"checks": {
"certificate_found": true,
"not_revoked": true,
"signature_valid": true
}
}The public key for signature verification is published at /.well-known/signing-keys.json. Full schema at /openapi.json.