← Back to explorer

Provenance · Ed25519 · Checked in your browser

Verify a response

Every API response MorScan serves is signed. This page takes one live response and walks through the check, step by step, in front of you. The math runs in your own browser: MorScan's server is not part of the verdict.

Pick what to verify

Free endpoints like /mor/v1/price and /version need no key. Metered endpoints answer 402 without one; paste their body here instead, or use an API key.

The check, live

  1. We fetched this API response from morscan.io
  2. The response came with a signature
  3. We fetched MorScan's published public key
  4. Your browser is checking the math right now
  5. Verdict

Notice what you did not have to do: trust MorScan. The response is public, the signature came with it, the public key is published for anyone to fetch, and your own browser did the checking. If MorScan ever altered a served number after signing it, this exact check is what would catch it.

What was verified

The exact response above was signed by the key morscan/cache at the moment it was served. The signature covers a canonical form of the receipt: its id, action, timestamp, and the SHA-256 hashes of the request and the response body. One changed byte anywhere under those hashes and the signature stops verifying.

Who signed it

MorScan derives two Ed25519 signing keys: morscan/cache for indexed on-chain data and morscan/signer for service-level attestations. Both public keys, with their full rotation history and validity windows, are published at /.well-known/morscan-keys.json. The operator behind those keys is DRM3 Labs, whose signing-key lineage across all its services lives in the public registry at drm3.io/signers.

What it means

You do not have to take MorScan's word for its numbers. Every response carries the evidence with it, the keys are public, and the check is pure math that anyone can run: this page in a browser, or the same ~50-line verifier from the command line: npm run verify:receipt in the public repo. Machine-readable build identity stays at /version, and the full receipt design is documented in the repo's provenance docs.