enterprise-strict-v1

The strictest preset recipe for enterprise tenants. Requires customer-held private keys (BYOK), 10-year retention, four-way anchoring, and admin approval for signing operations.

Recipe configuration

id: enterprise-strict-v1
version: 1
media_type: image
description: "Enterprise strict — BYOK, four-way anchoring, signer pinning with admin approval"
c2pa:
  enabled: true
  assertions:
    [
      ai_generated,
      generator,
      model,
      prompt_hash,
      created_at,
      editor,
      published,
      exif,
    ]
  kms_mode: byok
watermark:
  enabled: true
  engine: trustmark
  payload:
    type: manifest_pointer
    encoding: full
anchoring:
  enabled: true
  methods: [opentimestamps, bitcoin, arbitrum, byoc]
retention:
  manifest_days: 3650
  original_asset_days: 3650
  derived_asset_days: 3650
verification:
  minimum_confidence: 0.99
  ambiguous_match_behavior: manual_review
signer_pinning:
  key_alias: customer-key
  requires_admin_approval: true

Sign (enterprise)

curl -X POST https://api.verbitas.io/v1/sign \
  -H "Authorization: Bearer vb_prod_YOUR_KEY_HERE" \
  -F "[email protected]" \
  -F "recipe=enterprise-strict-v1" \
  -F 'metadata={"generator":"internal-system","model":"v3.0"}' \
  | jq .

Key features

BYOK — customer holds the private key; Verbitas never has access to key material
Four-way anchoring — OTS, Bitcoin, Arbitrum One, and customer-supplied chain
10-year retention — manifests and original assets retained for 3650 days
Signer pinning — operations require admin approval via key_alias: customer-key
Full watermark payload — complete manifest pointer encoding (not compact)

Multi-modality

media_type: image is the base. Derive per-modality custom recipes using:

{
  "id": "enterprise-strict-audio-v1",
  "extends": "enterprise-strict-v1@1",
  "media_type": "audio",
  "watermark": { "engine": "audioseal" }
}

Requirements

Enterprise plan
BYOK key configured via the tenant admin API
Admin approval workflow configured