TaaS — Trust as a Service

API Reference

TaaS API

One API call generates a cryptographic certificate for any event in your app. Certificates are self-verifiable and legally admissible under ESIGN Act and eIDAS.

Authentication

All requests (except GET /verify) require an API key sent in the X-API-Key header. Keys are prefixed with taas_ and are only shown once at creation — store them securely.

Request header
X-API-Key: taas_your_api_key_here
API keys are hashed with bcrypt before storage. TaaS never stores plaintext keys. If a key is lost, create a new client account.

Base URL

Production
https://api.trytaas.com
Sandbox (100 free certs/day, no credit card)
https://sandbox.trytaas.com

Errors

TaaS returns standard HTTP status codes. Error bodies always include a detail field.

Code Meaning Cause
401 Unauthorized Missing, malformed, or invalid API key
404 Not Found Certificate ID does not exist
409 Conflict Email already registered
422 Validation Error Empty content, invalid content_type
Error response body
{
  "detail": "API key inválida"
}
POST /v1/certify

Generates a cryptographic certificate for any content or event. The certificate includes a SHA-256 hash, an ISO-8601 timestamp, and an RSA-PSS-SHA256 signature — all self-verifiable without contacting TaaS.

Request

Field Type Required Description
content string Yes The content to certify — JSON stringified, plain text, or a document hash. Cannot be empty.
content_type string No Category label. One of: text, document, event. Default: text. 
curl -X POST https://api.trytaas.com/v1/certify \
  -H "X-API-Key: taas_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "content": "{\"event\":\"payment_confirmed\",\"amount\":499.00,\"buyer_id\":\"usr_abc123\",\"order_id\":\"ord_xyz789\"}",
    "content_type": "event"
  }'

Response 200 OK

{
  "cert_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "content_hash": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
  "issued_at": "2026-06-02T16:42:03.821456+00:00",
  "issuer": "TaaS / Cews Investments Corp",
  "certificate": { ... }
}
Field Type Description
cert_id UUID Unique certificate identifier. Use this to verify.
content_hash string SHA-256 of the submitted content. Verifiable offline.
issued_at ISO-8601 UTC timestamp with microsecond precision.
issuer string Certificate issuer name (TaaS / Cews Investments Corp).
certificate object Full certificate object. See Certificate object.
GET /v1/verify/{cert_id}

Verifies a certificate's cryptographic signature. Public endpoint — no API key required. Share this URL with auditors, lawyers, or counterparties to prove a certificate is authentic.

Path parameter

Parameter Type Description
cert_id UUID The certificate ID returned by POST /certify. 
curl https://api.trytaas.com/v1/verify/3fa85f64-5717-4562-b3fc-2c963f66afa6

Response 200 OK

{
  "cert_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "valid": true,
  "content_hash": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
  "issued_at": "2026-06-02T16:42:03.821456+00:00",
  "issuer": "TaaS / Cews Investments Corp",
  "status": "active"
}

If valid is false, the certificate data was tampered with after issuance. Returns 404 if the cert_id does not exist.

GET /v1/certificates

Returns a paginated list of certificates issued by the authenticated client, ordered by most recent first.

Query parameters

Parameter Type Default Description
limit integer 50 Number of results to return.
offset integer 0 Number of results to skip (for pagination). 
curl "https://api.trytaas.com/v1/certificates?limit=10&offset=0" \
  -H "X-API-Key: taas_your_api_key_here"

Response 200 OK

[
  {
    "cert_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "content_hash": "sha256:e3b0c44298fc1c14...",
    "content_type": "event",
    "created_at": "2026-06-02T16:42:03.821456+00:00",
    "status": "active"
  }
]
POST /v1/admin/clients

Creates a new client account and returns an API key. The API key is only shown once — store it immediately. This endpoint is used during onboarding and does not require an existing API key.

Request body

Field Type Required Description
name string Yes Client or company name.
email string Yes Contact email. Must be unique.
tier string No One of: starter, pro, enterprise. Default: starter. 
curl -X POST https://api.trytaas.com/v1/admin/clients \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Acme Corp",
    "email": "[email protected]",
    "tier": "starter"
  }'

Response 200 OK

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "name": "Acme Corp",
  "email": "[email protected]",
  "tier": "starter",
  "rate_limit_day": 100,
  "created_at": "2026-06-02T16:42:03.821456+00:00",
  "api_key": "taas_Kx9mN2pQrL7vT4wY..."
}
Save your API key now. It will not be shown again. If lost, create a new client account.

Certificate object

The certificate field in a certify response contains the full signed object. It is self-contained — a third party can verify the signature offline using the embedded public key, without contacting TaaS.

Full certificate JSON
{
  "version": "1.0",
  "cert_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "issuer": "TaaS / Cews Investments Corp",
  "issued_to": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "content": {
    "hash": "sha256:e3b0c44298fc1c149afbf4c8996fb924...",
    "algorithm": "SHA-256",
    "type": "event"
  },
  "timestamp": {
    "value": "2026-06-02T16:42:03.821456+00:00",
    "standard": "ISO-8601-UTC"
  },
  "signature": {
    "value": "base64-encoded-rsa-pss-sha256-signature...",
    "algorithm": "RSA-PSS-SHA256",
    "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjAN..."
  },
  "verification": {
    "payload_format": "TAAS-V1|hash={hash}|ts={ts}|issuer={issuer}",
    "self_verifiable": true
  }
}

Offline verification

To verify a certificate without calling the API, reconstruct the signed payload and verify the RSA-PSS-SHA256 signature using the embedded public key:

Python — offline verification
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import padding
import base64

cert = { ... }  # your certificate object

payload = (
    f"TAAS-V1"
    f"|hash={cert['content']['hash']}"
    f"|ts={cert['timestamp']['value']}"
    f"|issuer={cert['issuer']}"
).encode()

public_key = serialization.load_pem_public_key(
    cert["signature"]["public_key"].encode()
)
signature = base64.b64decode(cert["signature"]["value"])

public_key.verify(
    signature,
    payload,
    padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH),
    hashes.SHA256(),
)
print("Certificate is valid")

Crypto standards

Signature

RSA-PSS-SHA256

2048-bit RSA keys, PSS padding with SHA-256. Resistant to existential forgery.

Content hashing

SHA-256

Content is hashed before signing. The original content is never transmitted to TaaS in stored form.

Timestamps

ISO-8601 UTC

Microsecond precision. The timestamp is included in the signed payload — it cannot be altered without invalidating the signature.

Legal compliance

ESIGN Act + eIDAS

Certificates are admissible as evidence under US ESIGN Act and EU eIDAS Regulation.

Rate limits

Limits apply per API key, per calendar day (UTC). Exceeding the limit returns 429 Too Many Requests.

Tier Certs / day Price
Sandbox 100 Free — no credit card
Starter 100 $49/mo · 10,000 certs/month
Pro 10,000 $149/mo · 100,000 certs/month
Enterprise 100,000 $499/mo · Unlimited