Leibodex Developers | Submit SHA-256 hashes and check public records

Integration scope

Leibodex lets you submit SHA-256 hashes for timestamp recording and query whether a matching hash record appears in the public log. API outputs are technical records only. They do not verify identity, authorship, ownership, authenticity, legal validity, signer authority, admissibility, or chain of custody.

Public-data warning: submitted hashes and any associated metadata may be publicly visible and may be copied or mirrored by others.

Self-serve API-key issuance is not currently offered publicly. Any API-key or commercial access that Leibodex makes available is subject to the applicable terms.

Core API

POST /v1/stamps records a supplied SHA-256 hash and returns verification_url plus badge URLs.
GET /v1/verify/{hash} returns record status, timestamp, and log-validation metadata.
GET /v1/verify/{hash} also includes artifact_descriptor with canonical integration shape fields and descriptor_parity contract status.
Canonical verify URL format is always /verify/<hash> (not the raw API JSON endpoint).
Leibodex is hash-only: files/bundles stay client-side unless you publish them elsewhere.

Leibodex Integration Model

Leibodex is API-first and artifact-transparent.

Any system capable of computing a hash and making an HTTP request can integrate with Leibodex.

Most integrations require only:

Compute SHA-256.
POST /v1/stamps.
Store the returned verification link.

Automation Recipes

These are reference workflows using generic HTTP steps; no official connectors are required.

Zapier (Webhooks by Zapier)

Trigger: New file or app event in your existing Zap.
Action: Compute SHA-256 in a code step, then submit to Leibodex.
Store/share: Persist verification_url or hash in the destination app.
Optional verify: GET /v1/verify/{hash}.

curl -fsS -X POST "https://api.leibodex.com/v1/stamps" \
  -H "Content-Type: application/json" \
  -d '{"hash":"<sha256_hex>","title":"zapier event","creator_alias":"zapier","bundle_spec_version":"leibodex.provenance_bundle.v1"}'

GitHub

Trigger: Push, release, or artifact publication.
Action: Compute SHA-256 in CI and call Leibodex from a workflow step.
Store/share: Write verification_url into release notes or workflow artifacts.
Optional verify: GET /v1/verify/{hash}.

curl -fsS -X POST "https://api.leibodex.com/v1/stamps" \
  -H "Content-Type: application/json" \
  -d '{"hash":"<sha256_hex>","title":"github artifact","creator_alias":"github","bundle_spec_version":"leibodex.release_bundle.v1"}'

Google Drive

Trigger: New file in a Drive folder.
Action: Hash file bytes in your automation runtime and send stamp request.
Store/share: Save the returned /verify/<hash> URL in Drive metadata or a tracker sheet.
Optional verify: GET /v1/verify/{hash}.

curl -fsS -X POST "https://api.leibodex.com/v1/stamps" \
  -H "Content-Type: application/json" \
  -d '{"hash":"<sha256_hex>","title":"drive file","creator_alias":"drive","bundle_spec_version":"leibodex.provenance_bundle.v1"}'

Airtable

Trigger: Record created or attachment changed.
Action: Compute SHA-256 in an automation script and call Leibodex.
Store/share: Persist verification_url in a dedicated Airtable field.
Optional verify: GET /v1/verify/{hash}.

curl -fsS -X POST "https://api.leibodex.com/v1/stamps" \
  -H "Content-Type: application/json" \
  -d '{"hash":"<sha256_hex>","title":"airtable record","creator_alias":"airtable","bundle_spec_version":"leibodex.provenance_bundle.v1"}'

Slack

Trigger: File upload or workflow event in a channel.
Action: Hash content in your worker and submit stamp JSON.
Store/share: Post back the verification_url in-thread.
Optional verify: GET /v1/verify/{hash}.

curl -fsS -X POST "https://api.leibodex.com/v1/stamps" \
  -H "Content-Type: application/json" \
  -d '{"hash":"<sha256_hex>","title":"slack artifact","creator_alias":"slack","bundle_spec_version":"leibodex.provenance_bundle.v1"}'

Generic Webhook

Trigger: Any event emitter capable of HTTP callbacks.
Action: Send hash to POST /v1/stamps, then optionally consume exports as downstream distribution data.
Store/share: Keep stamp hash plus verification URL in your system of record.
Optional verify: GET /v1/verify/{hash}.

# (a) Submit to Leibodex
curl -fsS -X POST "https://api.leibodex.com/v1/stamps" \
  -H "Content-Type: application/json" \
  -d '{"hash":"<sha256_hex>","title":"webhook event","creator_alias":"webhook","bundle_spec_version":"leibodex.provenance_bundle.v1"}'

# (b) Consume distribution artifacts
curl -fsS "https://api.leibodex.com/v1/exports/latest"
curl -fsS "https://api.leibodex.com/v1/exports/records/<artifact_file>"
curl -fsS "https://api.leibodex.com/v1/witness/archive/gossip/gossip-latest.json"

Exports as a Distribution Surface

GET /v1/exports/latest and /v1/exports/records/* provide a signed, mirror-friendly distribution stream.

Integrators can rebuild state deterministically from published artifacts, verify checkpoints and proofs offline, and archive exports independently of live API polling.

Operationally, this means deployment and monitoring tools can consume a stable artifact feed via /v1/exports/* and /v1/witness/{artifact_path:path}.

Mirrors bootstrap from exports and keep forward-only state.
Auditors verify exported artifacts without relying on runtime query patterns.
Observers can retain signed snapshots for long-horizon provenance checks.

Bundles

Leibodex Capture Bundle v1 (bundle_spec: leibodex.capture_bundle.v1)
Leibodex Provenance Bundle v1 (bundle_spec: leibodex.provenance_bundle.v1)
Determinism: browser bundles are best-effort deterministic; CLI bundle tooling is strict deterministic.

Signed Bundle Mode (Optional)

Signed Bundle Mode v1 defines optional signatures[] metadata and WebAuthn assertion attachment shape.
Leibodex records signature-related metadata presence at stamp time; Leibodex does not determine identity, attribution, legal intent, or enforceability.
Verify UI may show: Signatures: N, signature hashes, fingerprint/public-key presence, and WebAuthn metadata.

Stamp Artifact Descriptor (Canonical Shape)

{
  "hash": "sha256-of-zip-or-file",
  "bundle_spec": "leibodex.provenance_bundle.v1",
  "created_at_utc": "2026-03-01T00:00:00Z",
  "internal_file_count": 12,
  "metadata": {
    "title": "release artifact",
    "description": "optional",
    "creator_alias": "github",
    "bundle_type": "release"
  },
  "signatures": []
}

Client/integration shape above is canonical for tooling consistency.
Map verify API fields deterministically: hash => hash, created_at => created_at_utc, metadata.bundle_spec_version => bundle_spec, metadata.internal_file_count => internal_file_count, metadata.signatures => signatures.
The verify page includes a canonical descriptor parity section so operators can compare mapping output against live verify payload fields.

GitHub Action (Quickstart)

First-party action path: .github/actions/leibodex-stamp
Example release workflow: .github/workflows/leibodex-stamp-release.yml
Frozen naming policy: action default bundle_spec is leibodex.provenance_bundle.v1; release workflow override is leibodex.release_bundle.v1.
signed_statement_file is optional metadata attachment for statement text; it does not provide identity verification.

name: leibodex-stamp
on: [workflow_dispatch]
jobs:
  stamp:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/leibodex-stamp
        with:
          artifact_path: .tmp/release
          title: github release artifact
          creator_alias: github
          bundle_spec: leibodex.release_bundle.v1
          signed_statement_file: .tmp/release/release-statement.txt

Google Sheets (Apps Script)

function stampRow(hash, title, creator) {
  // Hash must be precomputed locally and pasted into the sheet.
  var payload = {
    hash: hash,
    title: title || "sheet record",
    creator_alias: creator || "sheets",
    bundle_spec_version: "leibodex.provenance_bundle.v1"
  };
  var resp = UrlFetchApp.fetch("https://api.leibodex.com/v1/stamps", {
    method: "post",
    contentType: "application/json",
    payload: JSON.stringify(payload),
    muteHttpExceptions: false
  });
  var body = JSON.parse(resp.getContentText());
  return body.verification_url;
}

Zapier / IFTTT Flow (Reference Pattern)

Trigger from your existing system (new file/release/event).
Compute SHA-256 in your trusted environment.
Call POST /v1/stamps and persist verification_url (/verify/<hash>) in your destination system.

CLI

Local CLI command namespace: ldx.
See public documentation in Specifications and Operational Principles.
Local smoke helper: scripts/smoke_stamp_artifact.sh (hash + stamp + verification URL output).
GitHub Action local smoke helper: scripts/smoke_leibodex_stamp_action.sh (mock endpoint + payload/output assertions).