Quick Start — Sign and Verify Content

Get started signing content with Verimago in under 10 minutes. This guide covers account setup, signing your first video, and verifying the credential.

> Note: Verimago's primary value is capture-time attestation — signing content at the moment of recording using your phone's hardware security. The camera app handles this automatically. The API below is for programmatic signing workflows.

Prerequisites

A Verimago account (sign up at Creators)
Your login credentials

Option A: Camera App (Recommended)

The fastest way to create hardware-attested content credentials:

Download the Verimago camera app (iOS or Android)

Record a photo or video — the app signs it automatically using your device's Secure Enclave (iOS) or StrongBox (Android)

Share the signed content — the C2PA Content Credential is embedded in the file metadata

No additional steps needed. The hardware attestation proves the content was captured on a real, unmodified device.

Option B: API Signing

For programmatic workflows and CMS integration.

Step 1: Get a bearer credential (pick one)

A — Publisher Portal (easiest)

Sign in at publisher.verimago.io (production) or your staging publisher URL. After login, open API Keys (/keys) and click + New Key. Copy the key once — it is only shown at creation time. That string is the same kind of token the API calls raw (starts with vmgo_).

B — API only

Log in, then mint a long-lived key (requires a verified account with a publisher certificate; SMS MFA must be completed first if enabled on the account).

curl -X POST https://api.verimago.io/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "you@example.com", "password": "your-password"}'

Save the returned token (also vmgo_…). Use it as Authorization: Bearer until you create a dedicated key below.

Generate a persistent API key (API)

curl -X POST https://api.verimago.io/v1/keys \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production"}'

Response 201 includes raw — that is the secret. Save raw immediately; the server never returns the full key again. Pass raw to @verimago/sdk as apiKey, or use it in Authorization: Bearer .

Step 2: Sign content

Verimago never touches your file. You send the SHA-384 hash (96 hex) plus metadata:

# Hash your file locally
shasum -a 384 my-video.mp4

Submit for signing
curl -X POST https://api.verimago.io/v1/sign \
  -H "Authorization: Bearer vmgo_..." \
  -H "Content-Type: application/json" \
  -d '{
    "contentHash": "<96-char SHA-384 hex>",
    "headline": "Field report from downtown",
    "recordedAt": "2026-03-28T14:30:00Z",
    "contentType": "AUTHENTIC",
    "captureMode": "VIDEO"
  }'

Response includes a verifyUrl — a public link anyone can use to check the credential.

Step 3: Verify

Anyone can verify — no account required:

curl 'https://api.verimago.io/v1/verify/sha384:…'

Or visit the verification URL in any browser.

Content types

Value	Shield	Use when
`AUTHENTIC`	Green	Raw footage — no AI processing or manipulation
`AI_ENHANCED`	Purple	AI-assisted editing (noise reduction, upscaling, color correction)
`AI_GENERATED`	Amber	AI-generated content (synthetic, composited)

How capture-time attestation differs from API signing

Camera App	API Signing
Attestation	Hardware-rooted (Secure Enclave / StrongBox + App Attest / Play Integrity)	Session-based (authenticated user)
Trust level	Proves content came from a real, unmodified device	Proves content was signed by an authenticated account
Best for	Field capture, breaking news, on-the-ground reporting	CMS integration, bulk signing, editorial workflows

Both produce C2PA-compliant Content Credentials. The camera app provides stronger attestation because it's hardware-rooted.

Next steps

API Reference — full endpoint documentation
Shield System — understand green, purple, amber, and grey shields
Verification Guide — how verification works under the hood