Treeship
Hub API

Hub API Overview

API reference for the Treeship Hub at api.treeship.dev. Authentication, endpoints, and error format.

Base URL

https://api.treeship.dev

All endpoints are prefixed with /v1/.

What Hub does

Hub is optional infrastructure. Artifact validity never depends on it -- the signatures are the trust. Hub provides three things:

  1. Artifact storage for signed envelopes pushed from local Treeships
  2. Shareable verification URLs at treeship.dev/verify/{artifact_id}
  3. Transparency log anchoring via Sigstore Rekor

Hub does not sign, modify, or interpret artifacts. It stores and serves the DSSE envelopes created locally. The WASM verifier on the verification page runs client-side, so Hub cannot forge a passing result.

Authentication

Hub uses DPoP (Demonstration of Proof-of-Possession) for write endpoints. There are no API keys, session tokens, or bearer tokens.

Authenticated requests require two headers:

HeaderValue
AuthorizationDPoP {hub_id}
DPoPA fresh JWT signed by the hub private key

The DPoP JWT contains:

{
  "iat": 1711500000,
  "jti": "unique-random-hex",
  "htm": "POST",
  "htu": "https://api.treeship.dev/v1/artifacts"
}

Hub verifies:

  • iat is within 60 seconds of the current time
  • jti has not been seen before (replay protection)
  • htm matches the HTTP method of the request
  • htu matches the request URL
  • The JWT signature matches the hub public key stored during login

Read endpoints require no authentication.

Endpoints

MethodPathAuthDescription
GET/v1/hub/challengeNoneStart device flow login
POST/v1/hub/authorizeNoneComplete device flow login
GET/v1/hub/authorizedNonePoll device flow status
POST/v1/artifactsDPoPPush a signed artifact
GET/v1/artifacts/:idNoneRetrieve an artifact
GET/v1/workspace/:hub_idDPoPList artifacts in a workspace
GET/v1/verify/:idNoneVerify an artifact server-side
POST/v1/merkle/checkpointDPoPPublish a Merkle checkpoint
POST/v1/merkle/proofDPoPPublish a Merkle inclusion proof
GET/v1/merkle/checkpoint/latestNoneGet the latest Merkle checkpoint
GET/v1/merkle/checkpoint/:idNoneGet a specific Merkle checkpoint
GET/v1/merkle/:artifactIdNoneGet a Merkle inclusion proof
GET/.well-known/treeship/revoked.jsonNoneRevoked key list

Error format

All errors return JSON:

{
  "error": "artifact not found"
}

HTTP status codes:

  • 200 -- Success
  • 201 -- Created (artifact stored)
  • 202 -- Accepted (pending, used during device flow polling)
  • 400 -- Bad request
  • 401 -- Authentication failed (DPoP invalid)
  • 404 -- Not found
  • 500 -- Server error

OpenAPI spec

The full OpenAPI 3.1 spec is available at hub-openapi.yaml for code generation and tooling.

Edit on GitHub

Verifiable Intent

Treeship as the agent_attestation scheme for Verifiable Intent credentials

GET /v1/hub/challenge

Start the device flow login by requesting a challenge nonce and device code.

On this page

Base URLWhat Hub doesAuthenticationEndpointsError formatOpenAPI spec