Public Key

Retrieve Treeship’s public signing key for independent verification.

Endpoint

GET /v1/pubkey

Authentication

Not required. This is a public endpoint.

Response

Status: 200 OK

{
  "key_id": "abc123def456",
  "algorithm": "Ed25519",
  "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA...\n-----END PUBLIC KEY-----\n",
  "usage": "Use this key to independently verify attestation signatures. Save as pubkey.pem."
}

Response Fields

Field	Type	Description
`key_id`	string	Short identifier for this key
`algorithm`	string	Always “Ed25519”
`public_key_pem`	string	PEM-encoded public key
`usage`	string	Instructions for use

Example

curl https://api.treeship.dev/v1/pubkey

Using the Key

Save to File

curl -s https://api.treeship.dev/v1/pubkey | jq -r '.public_key_pem' > pubkey.pem

Verify a Signature

# 1. Get the public key
curl -s https://api.treeship.dev/v1/pubkey | jq -r '.public_key_pem' > pubkey.pem

# 2. Get an attestation
curl -s https://api.treeship.dev/v1/verify/ATTESTATION_ID > attestation.json

# 3. Extract and save the payload
jq -r '.independent_verification.recreate_payload' attestation.json > payload.txt

# 4. Extract and decode the signature
jq -r '.signature' attestation.json | base64 -d > sig.bin

# 5. Verify
openssl pkeyutl -verify -pubin -inkey pubkey.pem -sigfile sig.bin -in payload.txt

Key Rotation

If the key is rotated, the key_id will change. Old attestations remain verifiable if you have the old public key. We recommend:

Caching the public key locally
Storing historical public keys
Checking key_id matches when verifying

Mirroring

You can mirror the public key on your own infrastructure for redundancy:

# Fetch and store periodically
curl -s https://api.treeship.dev/v1/pubkey > /var/treeship/pubkey.json

API Reference

​Public Key

​Endpoint

​Authentication

​Response

​Response Fields

​Example

​Using the Key

​Save to File

​Verify a Signature

​Key Rotation

​Mirroring