Skip to Content
Quickstart

Quickstart

Five minutes from a fresh account to an Artifact you can verify by fingerprint. You’ll need an enterprise-tier organization to mint API keys.

Mint an API key

In the web app, head to Settings → API keys and create a key, or call the endpoint directly with your Monolith JWT (the caller must be the owner of the target organization):

curl -X POST https://api.joinmonolith.com/api/v1/api-keys \ -H "Authorization: Bearer $JWT" \ -H "Content-Type: application/json" \ -d '{ "organizationId": "YOUR_ORG_UUID", "name": "my-cli-key" }'

The response includes a token of the form monolith_<22 base62 chars>. Save it now — it cannot be retrieved later.

{ "id": "550e8400-e29b-41d4-a716-446655440000", "name": "my-cli-key", "token": "monolith_AbCdEfGhIjKlMnOpQrStUvwx12", "prefix": "monolith_AbCdEfGh", "last4": "wx12", "createdAt": "2026-05-03T17:00:00Z" }

From here on, use the monolith_… token as your bearer credential.

Pick a Mark

List the Marks you can write to:

curl https://api.joinmonolith.com/api/v1/marks \ -H "Authorization: Bearer monolith_AbCd…wx12"

Note the id of the Mark you want this Artifact to live under.

Compute a fingerprint

Locally, hash the file’s bytes with SHA-256 and prefix 0x:

printf '0x%s\n' "$(shasum -a 256 my-art.png | cut -d' ' -f1)"

Create an Artifact

Send JSON to keep the asset on your machine, or multipart/form-data with a file part to also hand over the bytes:

curl -X POST https://api.joinmonolith.com/api/v1/artifacts \ -H "Authorization: Bearer monolith_AbCd…wx12" \ -H "Content-Type: application/json" \ -d '{ "markId": "MARK_UUID_FROM_STEP_2", "fingerprint": "0xabcdef…", "filename": "my-art.png", "mediaType": "image/png", "size": 248390 }'

Either way the Artifact is signed against fingerprint. Attaching the file only lets the published C2PA manifest report carry a validation_state of "Valid" — the bytes are used for that read-back and never stored. If the upload’s SHA-256 doesn’t equal fingerprint, the call is a 400. See Attaching the asset.

Response: an Artifact in pending status (the mark field on the returned object is the Mark it lives under). The blockchain submission runs asynchronously; poll the next step or the per-Mark Artifact list to watch it move to submitted.

Verify by fingerprint

Anyone (with any valid bearer token) can ask Monolith who minted a fingerprint:

curl https://api.joinmonolith.com/api/v1/artifacts/0xabcdef… \ -H "Authorization: Bearer monolith_AbCd…wx12"

The response confirms the binding: mark, metadata, transactionHash, c2paAssets (including manifestUrl), and — if the Mark is public — createdBy.

API keys are organization-equivalent credentials. They can manage sibling keys for the same organization via the /api/v1/api-keys endpoints (the body or query organizationId must match their own). Treat them like passwords; revoke any key you suspect has leaked from the web app or via DELETE /api/v1/api-keys/{keyId}?organizationId=….

Next steps

Last updated on