Integrity

Provenance Ledger

Append-only, hash-chained ledger for tracking content provenance. Every entry links cryptographically to the previous one, creating a tamper-evident history.

Entry Types

Creation

Initial content or artifact creation.

Modification

Any changes to the tracked content.

Verification

Integrity verification checkpoints.

Training

Use of content in AI model training.

Appending Entries

provenance.ts

import { DRD } from '@drd/sdk';

const drd = new DRD({ apiKey: process.env.DRD_API_KEY });

// Append a new entry to the chain
await drd.provenance.appendEntry({
  chainId: 'chain_abc123',
  entryType: 'modification',
  actor: 'agent_xyz789',
  action: 'Updated content metadata',
  metadata: {
    fieldsChanged: ['title', 'description'],
    previousVersion: '1.2.3',
  },
  signature: 'ed25519:abc...',
});

Chain Verification

Verify the integrity of any provenance chain by checking that each entry's previous hash matches the preceding entry's current hash.

verify.ts

const result = await drd.provenance.verifyChain({
  chainId: 'chain_abc123',
});

if (result.valid) {
  console.log('Chain integrity verified');
} else {
  console.error('TAMPER DETECTED: Chain integrity broken');
}

Chain Integrity

Every ledger entry is linked to its predecessor via cryptographic hashing, forming a tamper-evident hash chain. Any modification to a historical entry invalidates all subsequent hashes.

Entry Hash

SHA-256 hash of the entry payload. Any field change produces a completely different hash.

Chain Link

Each entry includes the hash of the previous entry. Tampering breaks the chain.

Digital Signature

Ed25519 or ML-DSA-65 signature over the entry hash. Proves the entry was created by DRD.

verify-chain.json

// Verify chain integrity for a content item
// GET /api/v1/provenance/:contentId/verify

{
  "ok": true,
  "data": {
    "contentId": "019content-...",
    "totalEntries": 14,
    "chainValid": true,
    "signaturesValid": true,
    "verifiedAt": "2026-02-14T12:00:00Z",
    "verificationMethod": "full_chain_walk",
    "entries": [
      { "id": "019prov-001", "type": "Creation",     "valid": true },
      { "id": "019prov-002", "type": "Verification",  "valid": true },
      { "id": "019prov-003", "type": "Modification",  "valid": true },
      { "id": "019prov-004", "type": "Training",      "valid": true }
    ]
  }
}

Merkle Tree Anchoring

DRD periodically anchors Merkle tree roots to external timestamping services, providing independent proof that the ledger state existed at a given point in time. Anchor frequency is configurable per workspace (default: every 1,000 entries or 1 hour, whichever comes first).

Provenance API

Query the provenance ledger to retrieve content history, verify ownership, and audit training usage.

Endpoint	Method	Description
/provenance/:contentId	GET	Get full provenance history for a content item
/provenance/:contentId/verify	GET	Verify chain integrity and signatures
/provenance/:contentId/entries	GET	List entries with filtering by type and date
/provenance/:entryId	GET	Get a single provenance entry by ID
/provenance/search	POST	Search entries across all content by criteria
/provenance/:contentId/export	GET	Export provenance as C2PA manifest or JSON

search-provenance.json

// Search for all training usage of a content item
// POST /api/v1/provenance/search

{
  "filters": {
    "contentId": "019content-...",
    "type": "Training",
    "from": "2026-01-01T00:00:00Z"
  },
  "include": ["actor", "data.modelId", "data.licenseCheck"],
  "limit": 100
}

// Response
{
  "ok": true,
  "data": {
    "entries": [
      {
        "id": "019prov-...",
        "type": "Training",
        "timestamp": "2026-01-15T08:00:00Z",
        "actor": { "type": "Agent", "name": "training-pipeline-v2" },
        "data": {
          "modelId": "acme-llm-v4",
          "licenseCheck": "passed",
          "optOutHonored": true
        }
      }
    ],
    "total": 3,
    "hasMore": false
  }
}

Querying Content History

Retrieve the complete lifecycle of any content item. The history API returns entries in chronological order with full chain verification metadata.

history.ts

import { DRD } from '@drd/sdk';

const drd = new DRD({ apiKey: 'drd_live_sk_...' });

const history = await drd.provenance.history('019content-...', {
  includeVerification: true,
  format: 'timeline',
});

// Returns:
// {
//   contentId: "019content-...",
//   chainValid: true,
//   timeline: [
//     { type: "Creation",     at: "2026-01-10T...", actor: "alice@acme.com" },
//     { type: "Verification", at: "2026-01-10T...", actor: "drd-auto-verify" },
//     { type: "Modification", at: "2026-01-20T...", actor: "bob@acme.com" },
//     { type: "Training",     at: "2026-02-01T...", actor: "training-pipeline-v2" },
//   ]
// }

// Export as C2PA Content Credentials
const manifest = await drd.provenance.exportC2PA('019content-...');

Retention & Archival

Provenance entries are retained according to your workspace compliance settings. Default retention is 10 years (3,650 days). Entries can be exported to cold storage for long-term archival. Deleted content retains its provenance history for auditability.

Next Steps

Royalty Splitting

Track content revenue

Learn more →

Model Lineage

Track training provenance

Learn more →

Explainability

Explain provenance decisions

Learn more →

Content Protection

Four-layer protection stack for registered assets

Learn more →