Skip to main content

Public Evidence Verification

Feature row 60 — Sprint PEV

Public Evidence Verification is part of the core audit layer and is available on every plan. This page is readable without signing in so external verifiers can land on it.

What this is

Every Behavry audit event is hash-chained (see Decision Trace). That means any party who holds an event hash can prove two things without needing to read the event contents:

  1. Existence — the event hash is in the Behavry audit log for some tenant, at some timestamp
  2. Integrity — the chain from that event back to an earlier anchor is intact (no tampering)

Public Evidence Verification (PEV) exposes this as a rate-limited, unauthenticated HTTP endpoint. Auditors, regulators, customers, and downstream verifiers can confirm an event without needing credentials for the tenant that generated it.

The endpoint

GET /api/v1/public/verify?hash={event_hash}
  • No authentication required
  • Rate-limited (per-IP, 60 requests per minute by default)
  • Returns no event content — only existence + integrity

Response

{
  "found": true,
  "tenant_public_id": "acme",
  "timestamp": "2026-04-08T14:23:11Z",
  "chain_intact": true,
  "anchor_hash": "a3f2...",
  "anchor_timestamp": "2026-04-08T14:00:00Z"
}
  • found — whether the hash exists in the log at all
  • tenant_public_id — the tenant's public-facing slug (not the internal UUID)
  • timestamp — when the event was written
  • chain_intact — whether the hash chain from the event back to the nearest anchor is uninterrupted
  • anchor_hash / anchor_timestamp — the nearest periodic chain anchor, so a verifier can compute an independent hash and cross-check

Not found

{ "found": false }

Returned when the hash isn't in the log. Rate-limited the same as found responses to prevent enumeration attacks.

What this does not expose

PEV returns zero event content. No payload, no DLP findings, no identities, no policy reasons, no targets. A third party can prove an event exists; they cannot read what it was about.

This is the right default for a public endpoint. Tenants that want to expose event content to specific verifiers do it through the authenticated API under admin approval.

Periodic anchors

To make independent verification practical, Behavry writes a chain anchor every hour:

  • An anchor is a pair {timestamp, hash} where hash is the current head of the audit chain
  • Anchors are published to a tenant-configurable anchor endpoint (by default, none — tenants opt in)
  • Public verifiers compare anchor_hash from a PEV response against an independently-received anchor to confirm the chain hasn't been rewritten after the fact

Use cases

  • Auditors verifying that a specific compliance event exists
  • Customers confirming that their vendor actually produced a Decision Trace they were told about
  • Regulators asking for cryptographic proof of record-keeping without network access to the tenant
  • Incident responders confirming a specific action happened and wasn't spoofed

Rate limiting and abuse

  • Per-IP rate limit (configurable, default 60/min)
  • Per-tenant rate limit across all IPs (prevents a single tenant's logs from being probed into DoS)
  • No batch endpoint; each request checks one hash
  • Enumeration is infeasible: the hash space is 2^256