Beta Release of TrackOrigin is live. We are still running verifications throughout June.
FOR DSPS · LABELS · DISTRIBUTORS · MARKETPLACES

BUILT FOR
CATALOGUE VOLUME.

Verify the human origin of every track in your catalogue. Open REST API, signed webhooks, hash-chained transparency log, and a partner submission API for verifying on behalf of contracted artists. Plug in today — no contract required to start.

Read the API docs See integration modes Contact partnerships
  • Ed25519 signed certificates · independently verifiable
  • HMAC-SHA256 webhooks · 6-attempt retry with backoff
  • Sandbox keys · build & test before going live
  • OpenAPI 3 · idempotency-key on every POST
[ 01 — INTEGRATION MODES ]

THREE WAYS
TO PLUG IN.

Pick the mode that matches how your platform already works with artists. All three share the same signed certificate format, so a track verified under one path is readable from any other.

A
Read-only · Verify

Check status for tracks you ingest.

Your ingestion pipeline already takes ISRC, UPC, ISWC or audio file SHA-256. Add one lookup per track and display the Origin Seal when a cert exists. Pure read-only — no artist relationship needed on your side. For the strongest signal, fingerprint the file you actually serve and confirm it with verify-audio before showing the seal.

  • Bulk lookup by ISRC (up to 1,000 at once)
  • Resolve a content hash via by-sha256 (masters + renditions)
  • Confirm the served audio with verify-audio (perceptual, transcode-tolerant)
  • Signed revocation snapshot + monotonic changes?since_sequence feed
  • Webhook for cert.issued / cert.revoked
  • Verify the manifest signature offline against our JWKS
See verify workflow →
PARTNERS
B
Submit · Verify-on-behalf

Initiate sessions for your artists.

Labels, distributors and managers can pre-create verification sessions on behalf of contracted artists. The artist still completes the live session on their own device — you just tee it up and send them the link. Single-use consent tokens; idempotent POST.

  • Artist-signed consent JWT (single-use, JTI-tracked)
  • Pre-create session via POST /api/v1/partner/sessions
  • Send the studio link to the artist via your channel
  • Cert lands in your catalogue feed when the artist finishes
See submit workflow →
CONTRACTED
C
White-label · Hosted in your brand

Embed the studio + seal under your brand.

Run the entire verification flow inside your own portal — your logo on the cert, your colour on the seal, your domain on the public page. We sign and operate the verification; you own the surface your artists see.

  • Iframe-embed of the verification studio under verify.yourbrand.com
  • Co-branded certificate page with your logo + accent colour
  • Themed Origin Seal (color, tone, lockup variant)
  • Bulk pricing — published rate card on request
Talk to partnerships →
[ 02 — WORKFLOW · READ-ONLY VERIFY ]

INGEST  →  LOOK UP  → 
DISPLAY THE SEAL.

Four steps. For a typical DSP ingestion pipeline (~100k new ISRCs/day), lookup adds <50ms per track and Origin Seal renders in <10ms from the embed CDN.

  1. 01
    GET A KEY

    Mint a secret API key.

    Sign up (artist-style account is fine for a DSP read-only key), open Account → API keys, mint a key named e.g. spotify-ingest-prod. Use to_pk_test_… for dev, to_sk_live_… for prod. Stored only as a SHA-256 hash — you'll never see it again, so paste it into your secret manager immediately.

    10k free authenticated calls/month · then 1 credit / 5k
  2. 02
    LOOK UP THE TRACK

    Resolve by ISRC, UPC, ISWC or SHA-256.

    For each track entering your catalogue, hit one of the lookup endpoints. Bulk endpoints take up to 1,000 IDs per call.

    curl · bulk by ISRC
    curl -X POST https://trackorigin.io/api/v1/certificates/by-isrc/bulk \
  -H "Authorization: Bearer to_sk_live_…" \
  -H "Content-Type: application/json" \
  -d '{"isrcs": ["USRC17607839", "USRC17607840"]}'

    Response keys each ISRC to either a cert summary or null. Hash-anchored — your offline verifier can re-check the signature without calling us again. To resolve a raw content hash, use GET /api/v1/tracks/by-sha256/{sha} — it now matches both master uploads and registered transcode renditions, returning 409 ambiguous_multiple_certificates if a hash maps to more than one active cert (resolve nothing). For audio you transcode and serve yourself, fingerprint that exact file and call POST /api/v1/certificates/{cert_id}/verify-audio — the perceptual match survives MP3/AAC encoding where a byte-exact SHA never would. The seal is for the served work, not the original upload.

    ~50ms · cached 60s · idempotent
  3. 03
    STAY IN SYNC

    Either poll the delta feed or take webhooks.

    Two ways to keep your local cache fresh — pick one. Webhooks are near-real-time; the delta feed is a fallback for periods where your receiver was offline.

    Poll · safe + simple
    GET /api/v1/certificates/changes?since_sequence=120

    Sequence mode (preferred): store last_applied_sequence and reject any response whose head is it — rollback and replay can't un-revoke a cert. Run every 60–300s. (Legacy ?since=<ISO> timestamp mode still works.)

    Webhook · push
    POST /v1/me/webhooks
{ "url": "https://…", "events": ["cert.issued", "cert.revoked"] }

    HMAC-SHA256 signed. Replay-window 300s. 6 retries with backoff up to 6 h. See verification spec.

  4. 04
    DISPLAY THE SEAL

    Drop the embed onto your track page.

    Five variants — Seal, Disc, Strip, Lockup, Glyph. The seal fetches the latest status from your local cache or directly from our public read endpoint. Themeable via data-color / data-tone. Copy rule: the mark reads "Verified human-made" / "Verified work" — never "verified artist", "verified owner", or "official artist" (a faithful re-upload verifies the work, not authorship).

    HTML
    <script src="https://trackorigin.io/static/embed-widget.js" defer></script>
<span data-trackorigin-cert="cer_01H0XAR…" data-variant="mini"></span>
    Auto-mounts on DOMContentLoaded · no framework required
[ 03 — WORKFLOW · PARTNER SUBMIT ]

CONTRACTED ARTIST  → 
VERIFY ON BEHALF.

For labels, distributors and managers who already have a relationship with the artist. You initiate the session; the artist completes the live verification on their device.

  1. 01
    ARTIST SIGNS A CONSENT JWT

    One-time, scoped to your partner ID.

    The artist's account mints a JWT with type=partner_consent, your partner_id, their artist_id, and a unique jti. Token expires in ≤24 h. Single-use — JTI tracked server-side; re-consume returns 409.

  2. 02
    PARTNER PRE-CREATES THE SESSION

    POST /api/v1/partner/sessions.

    curl
    curl -X POST https://trackorigin.io/api/v1/partner/sessions \
  -H "Authorization: Bearer to_sk_live_…" \
  -H "Idempotency-Key: $(uuidgen)" \
  -H "Content-Type: application/json" \
  -d '{
    "track_id": "trk_…",
    "declaration_id": "dec_…",
    "consent_token": "eyJhbGciOiJI…"
  }'

    Response includes a complete_url — send it to the artist by SMS, email or in-app message.

  3. 03
    ARTIST FINISHES THE SESSION

    Live witnessed verification on their device.

    Six-gate liveness, randomised challenges, signed manifest. The artist owns the recording-time relationship with us — biometric consent is captured at session start. You receive the certificate via webhook and via the delta feed.

  4. 04
    YOU GET THE CERT

    cert.issued webhook fires immediately.

    Anchored to the master's SHA-256 + ISRC. Display the Origin Seal in your portal next to the track. If anything changes — re-master, revocation, dispute — you get cert.revoked too.

[ 04 — WHITE-LABEL ]

HOSTED IN
YOUR BRAND.

The full verification surface — studio, certificate page, embed seal — rendered under your domain, with your logo and your colour. We sign and operate. You own the customer touch-point. Contracted only.

Studio iframe-embed

Drop our verification studio into verify.yourbrand.com via iframe-embed with a signed JWT for the artist. PostMessage events let your portal react to session start, challenge progress and completion.

Co-branded certificate page

The public /cert/{cert_id} page can be themed with your logo and brand colour, served from a custom hostname (verified.yourbrand.com) with the Ed25519-signed manifest unchanged.

Themed Origin Seal

The seal embed already supports data-color, data-tone and five variants out-of-the-box. For white-label deployments we extend this with your brand tokens so the seal feels native to your UI.

Single sign-on (SAML / OIDC)

Artists log in to your portal once; we accept your SSO assertion and bind it to a TrackOrigin account behind the scenes. No second login, no re-signup.

Volume pricing

Self-serve credit packs cap at 150-track packs. For catalogues with 1,000+ tracks/year we publish a per-track rate card on request, with invoicing and net-30 terms.

On-prem audit pack mirror

For partners with compliance requirements, signed session recordings and audit packs can be mirrored to your S3 / GCS bucket on issuance. The signed manifest stays canonical with us; you hold the evidence.

Start a white-label conversation

Reply within 2 business days · 30-day pilot at no cost

[ 05 — SANDBOX ]

BUILD AGAINST
TEST KEYS FIRST.

Every account ships with sandbox keys (to_pk_test_… / to_sk_test_…) that hit an isolated cert store. Calls don't bill. Webhooks don't fire to real consumers. The built-in synthetic cert cer_test_synthetic is always resolvable, so you can curl immediately after key issuance.

  1. Seed a custom fixture. POST /api/v1/sandbox/certificates with an ISRC, verdict and artist handle returns a deterministic cert id.
  2. Test the read path. Hit /api/v1/certificates/{cert_id} with your test secret key — response is the same shape as live.
  3. Test the webhook contract. POST /v1/me/webhooks/{id}/test fires a synthetic envelope against your endpoint. Use it to debug your HMAC verifier before going live.
[ 06 — TRUST ]

WHAT YOU CAN
RELY ON.

[ CRYPTO ]

Ed25519 signed manifests

Every certificate is signed over canonical-JSON. Public keys at /.well-known/trackorigin-public-keys.json include kid history so old certs stay verifiable through key rotation.

[ TRANSPARENCY ]

Hash-chained CT log + STH

Every issuance is appended to an append-only Certificate Transparency log. Pin one signed tree head and detect any tampering with the chain on later polls.

[ DELIVERY ]

HMAC-signed webhooks · idempotent POSTs

Stripe-style TO-Signature: t=…,v1=…, 300s replay window, 6-attempt retry with backoff, auto-disable after 10 consecutive failures. Idempotency-Key on every POST.

[ STANDARDS ]

C2PA-shaped manifests

/api/v1/certificates/{id}/c2pa emits a C2PA manifest store with content-authorship and AI-tool assertions. EU AI Act compliance disclosure ready.

[ IDENTIFIERS ]

ISRC · UPC · ISWC bound

Industry identifiers are validated at upload and signed into the certificate body. Tampering breaks the signature. Sparse-indexed for fast lookup at any volume.

[ AUDIT ]

20-year audit pack retention

Session video, transcripts, model judge I/O and per-stage timing retained for 20 years. Forensic bundle available for any contested cert.

READY TO
PLUG IN?

Spin up a test key in 60 seconds. Talk to partnerships when you're ready for live volume or white-label.

Get a test key Full API reference Partnerships