Provenance · Ed25519 · Checked in your browser
Verify a response
Every API response MorScan serves is signed. This page takes one live response and walks through the check, step by step, in front of you. The math runs in your own browser: MorScan's server is not part of the verdict.
Pick what to verify
Free endpoints like /mor/v1/price and /version need no key.
Metered endpoints answer 402 without one; paste their body here instead,
or use an API key.
The check, live
-
We fetched this API response from morscan.io
-
The response came with a signature
-
We fetched MorScan's published public key
-
Your browser is checking the math right now
-
Verdict
Notice what you did not have to do: trust MorScan. The response is public, the signature came with it, the public key is published for anyone to fetch, and your own browser did the checking. If MorScan ever altered a served number after signing it, this exact check is what would catch it.
What was verified
morscan/cache
at the moment it was served. The signature covers a canonical form of the receipt:
its id, action, timestamp, and the SHA-256 hashes of the request and the response
body. One changed byte anywhere under those hashes and the signature stops verifying.
Who signed it
morscan/cache for indexed
on-chain data and morscan/signer for service-level attestations. Both
public keys, with their full rotation history and validity windows, are published at
/.well-known/morscan-keys.json. The
operator behind those keys is DRM3 Labs, whose signing-key lineage across all its
services lives in the public registry at
drm3.io/signers.
What it means
npm run verify:receipt in the
public repo.
Machine-readable build identity stays at /version, and the
full receipt design is documented in the repo's provenance docs.