Skip to main content

Public Key

Retrieve Treeship’s public signing key for independent verification.

Endpoint

GET /v1/pubkey

Authentication

Not required. This is a public endpoint.

Response

Status: 200 OK
{
  "key_id": "abc123def456",
  "algorithm": "Ed25519",
  "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA...\n-----END PUBLIC KEY-----\n",
  "usage": "Use this key to independently verify attestation signatures. Save as pubkey.pem."
}

Response Fields

FieldTypeDescription
key_idstringShort identifier for this key
algorithmstringAlways “Ed25519”
public_key_pemstringPEM-encoded public key
usagestringInstructions for use

Example

curl https://api.treeship.dev/v1/pubkey

Using the Key

Save to File

curl -s https://api.treeship.dev/v1/pubkey | jq -r '.public_key_pem' > pubkey.pem

Verify a Signature

# 1. Get the public key
curl -s https://api.treeship.dev/v1/pubkey | jq -r '.public_key_pem' > pubkey.pem

# 2. Get an attestation
curl -s https://api.treeship.dev/v1/verify/ATTESTATION_ID > attestation.json

# 3. Extract and save the payload
jq -r '.independent_verification.recreate_payload' attestation.json > payload.txt

# 4. Extract and decode the signature
jq -r '.signature' attestation.json | base64 -d > sig.bin

# 5. Verify
openssl pkeyutl -verify -pubin -inkey pubkey.pem -sigfile sig.bin -in payload.txt

Key Rotation

If the key is rotated, the key_id will change. Old attestations remain verifiable if you have the old public key. We recommend:
  1. Caching the public key locally
  2. Storing historical public keys
  3. Checking key_id matches when verifying

Mirroring

You can mirror the public key on your own infrastructure for redundancy:
# Fetch and store periodically
curl -s https://api.treeship.dev/v1/pubkey > /var/treeship/pubkey.json