Integration Guide

How to commit artifacts, verify proofs, and integrate OCC into your application.

Quick start: commit via API

Hash your artifact locally, then send only the digest to the OCC endpoint:

# 1. Hash your file
DIGEST=$(openssl dgst -sha256 -binary myfile.pdf | base64)

# 2. Send to OCC endpoint
curl -X POST https://nitro.occproof.com/commit \
  -H "Content-Type: application/json" \
  -d '{
    "digests": [{
      "digestB64": "'$DIGEST'",
      "hashAlg": "sha256"
    }],
    "metadata": {
      "source": "my-app"
    }
  }'

TypeScript / JavaScript

// Hash locally
const bytes = new Uint8Array(await file.arrayBuffer());
const hashBuf = await crypto.subtle.digest("SHA-256", bytes);
const digestB64 = btoa(String.fromCharCode(...new Uint8Array(hashBuf)));

// Commit to enclave
const resp = await fetch("https://nitro.occproof.com/commit", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    digests: [{ digestB64, hashAlg: "sha256" }],
    metadata: { source: "my-app", fileName: file.name },
  }),
});

const [proof] = await resp.json();
// proof is a complete OCCProof JSON object
console.log(proof.commit.counter);
console.log(proof.environment.enforcement);

Verify a proof

import { verify } from "occproof";

const result = await verify({
  proof: myProof,
  bytes: originalFileBytes,
  trustAnchors: {
    requireEnforcement: "measured-tee",
    allowedMeasurements: ["ac813febd1ac4261..."],
    requireAttestation: true,
    requireAttestationFormat: ["aws-nitro"],
  },
});

if (result.valid) {
  console.log("Proof verified successfully");
} else {
  console.error("Verification failed:", result.reason);
}

Enclave info

# Get enclave public key and measurement
curl https://nitro.occproof.com/key

# Response:
# {
#   "publicKeyB64": "...",
#   "measurement": "ac813febd1ac4261...",
#   "enforcement": "measured-tee"
# }

Important notes

  • Files are never uploaded. Only the SHA-256 digest crosses the network.
  • The proof is portable. Store it alongside the artifact or in a separate system.
  • Verification is offline. No API calls needed to verify — just the public key and original bytes.
  • Pin measurements. For production, always pin allowedMeasurements and require attestation.
  • Track counters. Store the last accepted counter value to prevent replay.