What's New

v2.0.0 — Multi-Media

Released June 14, 2026

Certivu now signs and verifies images, audio, and text — a major platform expansion beyond images only.

Multi-format signing

POST /v1/sign now accepts any content type. Format is auto-detected from magic bytes or can be specified explicitly via the format field ("image", "audio", "text"). The signed content is returned with a format-appropriate provenance token and resilient watermark embedded.

Format	Accepted files	Token container	Resilient watermark
Image	JPEG, PNG, WebP	XMP metadata	DCT spread-spectrum
Audio	MP3, FLAC, WAV	ID3v2 TXXX / VORBIS_COMMENT / CTV RIFF chunk	DCT frame watermark (WAV)
Text	PDF, HTML, plain text	PDF XMP / HTML <meta>	ZWC steganography (plain text)

Generator format enforcement

Generators now declare supported_formats — a required array of one or more formats the generator is allowed to sign. Signing with an unlisted format returns 400 format_not_supported.

Format in verification

The verification response now includes a format field indicating the detected or applied content format. The token extraction pipeline is fully format-aware — it probes the right container for each format rather than assuming XMP.

SDK and CLI updates

• JS SDK: sign() accepts an optional format parameter; response includes signedContent and format.
• Python SDK: sign() and async_sign() accept format=; SignResult has signed_content and format.
• CLI: certivu sign accepts --format <image|audio|text>, auto-inferred from file extension if omitted.

Dashboard

• Generator wizard now requires selecting supported formats (image / audio / text) during registration.
• Generator list shows format badges per generator.

---

v1.5.0 — Help & Support

Released June 14, 2026

Help & Support page

A new Help & Support page is now available in the dashboard. You can:

• Submit a support ticket — choose a category (Billing, Technical, Account, Other), describe your issue, and submit. You’ll receive a confirmation email with your ticket ID from [email protected].
• Track your tickets — see all open and resolved tickets for your org, with status updates in real time.
• Browse resources — quick links to the Quickstart Guide, API Reference, Webhooks Guide, and SDK documentation.

You can also email us directly at [email protected] at any time.

---

v1.4.1 — Security & Reliability Patch

Released June 13, 2026

Security fixes

• Admin authentication hardened — admin secret comparison now uses timingSafeEqual to prevent timing side-channel attacks. Admin JWTs are now signed with a dedicated ADMIN_JWT_SECRET, independently rotatable from user session tokens.
• Cryptographically secure 2FA OTPs — OTP generation replaced Math.random() with crypto.randomInt (CSPRNG-backed).
• 2FA fail-open closed — a Redis failure during login previously issued a JWT silently, bypassing 2FA entirely. It now returns a 503 and issues no token until OTP storage succeeds.
• Upload size limits — a 20 MB cap is now enforced on sign uploads, single-image verify, and each item in batch verify (returns 413).
• Webhook SSRF protection — webhook URL registration now rejects RFC-1918, loopback, link-local, and CGNAT addresses and requires https: protocol only.
• Analytics authorization fix — per-record analytics ownership was incorrectly verified; it now confirms the record’s generator belongs to the requesting org via a database join.
• Stripe webhook deduplication — duplicate Stripe event delivery is now idempotent via a Redis dedup key (72-hour TTL), preventing double-billing on Stripe’s at-least-once delivery guarantee.

Reliability fixes

• Watermark detection fixed for images larger than 1024px — the embed and extract paths were operating at different resolutions (embed at native size, extract capped at 1024px via Sharp resize). Sharp’s resampling was destroying DCT coefficients, so extracted watermark IDs never matched. Both paths now operate at native resolution.
• Quota enforcement made atomic — the free-tier quota check-and-increment was a non-atomic read-then-write pair, raceable under concurrent signing. It is now a single conditional findOneAndUpdate.
• Atomic registration and invite acceptance — user registration (org + user create) and invite acceptance (user create + invite update) are now wrapped in MongoDB transactions, eliminating orphaned documents on partial failure.

SDK coverage (JS + Python)

Five methods covering the v1.4.0 analytics and webhooks API surface were missing from both SDKs and are now available:

• getAnalyticsOverview(days?) — fetch verification analytics summary
• getRecordAnalytics(recordId) — per-record drill-down (Growth+)
• listWebhooks() — list registered webhook endpoints
• createWebhook(url, events) — register a new endpoint (Growth+)
• deleteWebhook(webhookId) — remove an endpoint

Bug fixes

• Web → dashboard login now works correctly — logging in from certivu.ai and being redirected to dashboard.certivu.ai previously resulted in a broken session because the two domains have isolated browser storage. The session is now passed via a secure hash fragment and hydrated by the dashboard on load.

---

v1.4.0 — Intelligence

Released June 11, 2026

Verification Analytics

Every verification is now logged and surfaced as actionable data. The new Analytics page in the dashboard shows daily verification trends, authentic vs. tamper rates, and your top records by verification volume.

• Free: 7-day window
• Starter: 30-day window + tamper alert emails
• Growth/Scale/Enterprise: 90-day window + per-record drill-down + webhook events

New endpoints: GET /v1/analytics/overview, GET /v1/analytics/records/:id

Webhooks

Subscribe any HTTPS endpoint to Certivu events. Available on Growth+ plans.

Six event types: record.created, verify.attempted, verify.tamper_detected, quota.warning, quota.limit, generator.revoked.

Payloads are signed with HMAC-SHA256 (X-Certivu-Signature: t=<ts>,v1=<sig>) and include a 5-minute replay protection window. Endpoints auto-disable after 5 consecutive failures. Delivery log retained for 30 days with per-delivery retry.

New endpoints: GET/POST /v1/webhooks, PATCH/DELETE /v1/webhooks/:id, GET /v1/webhooks/:id/deliveries, POST /v1/webhooks/:id/deliveries/:id/retry

Monthly Digest Email

Starter+ orgs receive a monthly summary on the 1st of each month: signing activity, verification count, tamper events, quota bar, and upgrade CTA at ≥80% usage.

Admin Dashboard (internal)

Internal ops panel at /admin for the Certivu team. Platform stats (org/user/record counts, estimated MRR), org search and management, plan override, quota reset, and GDPR delete. Separate auth via ADMIN_SECRET environment variable.

---

v1.3.1 — Server-Side Signing

Released June 10, 2026

Signing is now fully server-side

Previously the SDK required you to hold an ML-DSA private key locally, compute signatures, and manually embed watermarks. As of v1.3.1, the API handles the entire pipeline — you POST an image and get back a watermarked, signed image ready to distribute.

Before (≤ v1.3.0):

const certivu = new CertivuClient({
  apiKey: 'ctv_key_...',
  generatorId: 'gen_...',
  privateKey: process.env.CERTIVU_PRIVATE_KEY, // you managed this
})
const { token } = await certivu.sign({ content: imageBuffer, model: 'sdxl' })
// image was unchanged — watermarking was your responsibility

Now (v1.3.1+):

const certivu = new CertivuClient({
  apiKey: 'ctv_key_...',
  generatorId: 'gen_...',
})
const { token, watermarkedContent } = await certivu.sign({ content: imageBuffer, model: 'sdxl' })
// watermarkedContent is the signed, DCT-watermarked image — use this one

The returned image has the ctv_ token in XMP metadata and the watermark embedded in the frequency domain. Verification returns high confidence when both signals survive.

New POST /v1/sign endpoint

POST /v1/sign
Content-Type: multipart/form-data
Authorization: Bearer ctv_key_...

Fields: image (file), model (string), generator_id (string).

Response: binary image bytes with headers:

• Content-Type: image/jpeg | image/png | image/webp
• X-Certivu-Token: ctv_...
• X-Certivu-Record-Id: rec-uuid

The old POST /v1/records endpoint is preserved for backward compatibility with client-managed-keypair generators.

Generator keypair management simplified

When registering a generator, no public key is required. Certivu generates and stores the keypair server-side — the private key is encrypted at rest (AES-256-GCM) and never returned to clients.

Breaking changes

What changed	Old	New
SDK CertivuClient config	privateKey required for signing	No privateKey — key lives on server
sign() return value	{ token, record_id }	{ token, record_id, watermarkedContent: Uint8Array }
Python CertivuClient	private_key param	Removed
CLI certivu sign	--private-key flag	Removed; add --output to set output path
Python install	pip install certivu[signing] for signing	pip install certivu is sufficient

---

v1.3.0 — Image Pipeline Improvements

Released June 10, 2026

PNG and WebP metadata support

The ctv_ token is now embedded natively in all three major image formats. Previously, all signed images were converted to JPEG. Starting with v1.3.0, the pipeline preserves the original format:

Format	Token storage	Watermark
JPEG	APP1 XMP segment	DCT spread spectrum
PNG	tEXt chunk (certivu:token)	DCT spread spectrum
WebP	XMP RIFF chunk	DCT spread spectrum

No format conversion means lossless images stay lossless. Extraction and verification are fully format-aware — no changes needed on the verify side.

Spread spectrum watermark

The DCT watermark algorithm has been upgraded from single-coefficient QIM to spread spectrum: each bit is now embedded into 4 independent mid-frequency DCT coefficients per 8×8 block rather than one. This gives 4× the signal redundancy per block, compounded across all blocks via majority voting.

Practical result: watermarks now survive JPEG compression at Q=60 (social media worst case), an improvement over the prior floor of Q=75.

Note: Images signed with v1.2.x and earlier used the old single-coefficient algorithm. Their DCT watermarks will not decode with the new extractor. The XMP token fast path is unaffected — this only impacts images where XMP was stripped (e.g. heavily transformed social media uploads without the token).

Perceptual fingerprinting (pHash)

Generator SDKs can now submit a 64-bit perceptual hash alongside signed records. At verification time, if no watermark or XMP token is found, Certivu performs a fuzzy pHash lookup across recent records using Hamming distance (threshold ≤ 10 bits).

This enables provenance recovery for images where watermarks have been destroyed by aggressive transformations — resizing, heavy recompression, format conversion — that the DCT watermark does not survive.

The phash field is optional in POST /v1/records. If not submitted, the pHash lookup path is skipped. See the sign API reference for the field format.

Two new signals appear in VerificationResult:

• signals.phash_match: boolean — true when the record was located via pHash
• token_source: "phash" — when pHash was the resolution path
• c2pa?: { found, validation_status, assertions } — C2PA manifest signals if present

C2PA compatibility

Certivu now reads C2PA manifests on every verification call. If an uploaded image contains a C2PA manifest, its assertions and validation status are surfaced in the c2pa field of the verification response — alongside Certivu’s own cryptographic verification.

Every signed record also exposes a C2PA-compatible manifest export:

GET /v1/records/:record_id/c2pa

Returns a structured JSON manifest with c2pa.actions, certivu.provenance, and c2pa.hash.data assertions. This is a compatibility export for integration with C2PA-aware platforms and tooling, not a fully-signed C2PA manifest (which requires a certificate chain outside Certivu’s scope).

Positioning: C2PA compatible + ML-DSA quantum-resistant — Certivu reads and speaks C2PA while adding post-quantum cryptographic guarantees that C2PA’s PKI-based signing does not provide.

---

v1.2.0 — Teams

Released June 10, 2026

Team management

Org owners can now invite teammates by email directly from the dashboard. Invites use 7-day time-limited links — recipients click the link, set a password, and are immediately joined to the org with the assigned role.

Role-based access control

Three roles with clear permission boundaries:

Role	Access
Owner	Everything — members, billing, generators, settings
Admin	Invite members, manage generators and API keys (Growth+ plans)
User	Read-only — audit log and usage

Admin role is available on Growth and above. All plans include the Owner role.

Per-member API keys

Each team member can generate their own personal API key from Settings → Personal API Keys. Keys are tied to the individual — audit log entries show the member’s email, not just the org. Keys are shown once on creation and can be revoked at any time.

Plan seat limits

Plan	Members	Admin role
Free	1 (solo)	—
Starter	Up to 5	—
Growth	Up to 15	✓
Scale	Up to 50	✓
Enterprise	Unlimited	✓

See the Team guide and Team API reference for full details.

---

v1.1.0 — Developer XP & Performance

Released June 7, 2026

Performance

Significant speed improvements across the signing and verification pipeline. Verification is faster under load, signing throughput is higher, and content hashing is more efficient.

Python SDK

A native Python client is now available.

pip install certivu

Supports both sync and async usage. Full parity with the TypeScript SDK — sign, verify, batch verify, audit log.

from certivu import CertivuClient

client = CertivuClient(api_key="ctv_key_...")
result = client.verify(content=image_bytes)
print(result.confidence)  # "high"

See the Python SDK guide for the full reference.

CLI Tool

A standalone command-line tool for signing and verifying content directly from your terminal.

# Install
npm install -g @certivu/cli

# Sign a file
certivu sign ./image.jpg --model stable-diffusion-xl

# Verify a file
certivu verify ./image.jpg

# Check account and quota status
certivu status

Works on macOS, Linux, and Windows. See the CLI guide for full usage.

Interactive API Docs

A live Swagger UI is available at api.certivu.ai/docs — browse all 28 endpoints, inspect schemas, and make test requests directly from the browser.

An OpenAPI 3.1 spec is also available at GET /openapi.json for client generation and integration testing.

TypeScript SDK — Token Status

A new getTokenStatus() method lets you look up the status of any ctv_ token without uploading content.

const status = await certivu.getTokenStatus("ctv_7f3kx9mq2...")
// { valid: true, revoked: false, signed_at: "...", org: "Acme AI" }

Two-Factor Authentication

Login now requires a 6-digit verification code sent to your email after credentials are confirmed. Applies to both the dashboard and the web login page.

Design

The dashboard and marketing site have been refreshed with the Warm Dusk design system — consistent type scale, amber accent tokens, and improved contrast throughout.

---

v1.0.0 — Launch

Released June 3, 2026

Certivu is live.

Quantum-resistant provenance infrastructure for AI-generated content — sign with ML-DSA, verify anywhere, free forever.