DEVELOPERS

Integrate independently verifiable AI governance

GAFAIG provides a verification-first trust surface for AI governance. Developers can fetch certified public records, inspect signed proof, and independently validate payload integrity using GAFAIG’s verification endpoint and public key.

The SDK is the canonical integration surface for GAFAIG trust signals. Badges, widgets, and verification modals are render layers over the public verification endpoint. Internal governance records remain private; external systems validate only the certified outcome, canonical messageString, signature, and public key.

Open Verify Browse Registry View Widget Preview Public Key

Page Navigation

Jump to a developer surface

This page is intentionally comprehensive. Use these shortcuts to move directly to the live console, install snippets, proof rules, widgets, API contracts, and failure-state guidance.

API Console Live Preview messageString Rule Install Badge Widget Modal External Test Public Contract Raw API Proof Object Failure Modes Integration Paths

START HERE

Use versioned SDK and widget files

Production integrations should use versioned GAFAIG files. Versioned files are pinned production contracts. Latest aliases are convenience entry points that may evolve. Use v1 files for any external customer, partner, or production website.

Step 1

Load versioned files

Use /sdk/gafaig.v1.js as the primary production integration. Use /widget/gafaig-widget.v1.js and /widget/gafaig-verify.v1.js only for direct or advanced embeds.

Step 2

Embed a trust surface

Add a badge, widget, or verification modal using a REGISTRY_ID issued by GAFAIG.

Step 3

Verify independently

Use the verification endpoint, exact messageString, signature, and public key to validate the public record.

Versioned files are stable production contracts

Use versioned files for production embeds. v1 files are behavior-stable for existing integrations. Bug fixes may be applied, but external production integrations should pin to v1 until a future version is explicitly released.

Latest aliases can evolve

The unversioned files remain available as latest builds. They may receive newer behavior before a future pinned version is introduced. Do not rely on latest aliases for third-party production stability.

Production-stable versioned files

TEXT

Production-stable versioned files:

Primary SDK:
https://www.gafaig.com/sdk/gafaig.v1.js

Optional advanced UI runtimes:
https://www.gafaig.com/widget/gafaig-widget.v1.js
https://www.gafaig.com/widget/gafaig-verify.v1.js

Use the SDK as the recommended production entry point. Use the widget and modal runtime files only for direct or advanced embeds.

Latest aliases

TEXT

Latest aliases:

https://www.gafaig.com/sdk/gafaig.js
https://www.gafaig.com/widget/gafaig-widget.js
https://www.gafaig.com/widget/gafaig-verify.js

These aliases point to the latest build and may change behavior. Use for testing, internal previews, or controlled rollouts only.

Trust Source

/api/verify

The verification endpoint remains the canonical public trust authority.

Stable SDK

/sdk/gafaig.v1.js

The versioned SDK is the recommended production integration file.

Signature Algorithm

Ed25519

Every public proof is signed and can be validated with the public key endpoint.

Verification Playground

Live API console for GAFAIG records

Enter a registry ID, call the public verification endpoint, inspect the certified record, review the signed payload, and copy production integration code.

Ready

Method

GET

HTTP status

—

Latency

—

LIVE PREVIEW

See the versioned embed working live

This preview uses the production-stable versioned widget file. The widget renders the public verification response for the demo GAFAIG registry record and does not compute trust in the browser.

Live widget

Trust interpretation

What this live widget proves

The widget is a display layer only. It does not compute trust. It renders the public verification response returned by GAFAIG.

Certified

This record is published and valid in the GAFAIG registry.

Signature Valid

The cryptographic signature matches the published public key.

Payload Verified

The signed payload has not been altered before display.

messageString available

External systems can independently verify the record using the exact messageString returned by /api/verify.

What creates trust

/api/verify returns the canonical record and proof.
proof.messageString is the exact signed payload.
proof.signature is the cryptographic signature.
/api/.well-known/gafaig-public-key exposes the verification key.

Verification MUST use the exact messageString returned by the API. Never reconstruct it.

Open verify page View JSON

CANONICAL VERIFICATION RULE

Verify the exact messageString. Never reconstruct it.

The signed payload is proof.messageString. It must be copied and verified exactly as returned by /api/verify. Reconstructing payloads from record fields, proof.message, UI values, or reordered JSON will invalidate verification.

Correct

Fetch /api/verify/[registryId], read proof.messageString, read proof.signature, fetch the public key, and verify the exact messageString bytes against the signature.

Incorrect

Do not rebuild the payload from JSON fields, change timestamp formats, stringify proof.message yourself, reorder keys, or normalize the string before verification.

Canonical verification rule

TEXT

Verification MUST use proof.messageString exactly as returned.

Do not:
- rebuild messageString from record fields
- stringify proof.message yourself
- reorder JSON keys
- change timestamp formats
- trim or normalize the payload before verification

Use:
- proof.messageString
- proof.signature
- public key from proof.verificationKeyUrl

INSTALL

Install the GAFAIG SDK (recommended)

Start with the versioned SDK. This is the ONLY recommended production integration path. All widgets, badges, and modals should be used through the SDK unless you have a specific advanced requirement.

Recommended: Install SDK

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

ADVANCED

Optional runtime files (advanced use only)

These files are not required for most integrations. Only use them if you are building custom UI layers outside the SDK.

Do not use advanced runtimes by default

Direct widget and modal runtime files bypass the SDK abstraction layer. This increases integration complexity and should only be used in controlled or custom environments.

Install SDK + verification modal

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>
<script src="https://www.gafaig.com/widget/gafaig-verify.v1.js"></script>

BADGE

Render a GAFAIG badge

The badge is a lightweight trust signal that links to the verification page. It respects lifecycle and badge eligibility from the public badge API.

Auto-render a badge

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<div data-gafaig-badge="GAFAIG-00363095"></div>

Render badge manually

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<div id="gafaig-badge-target"></div>

<script>
  gafaig.badge("#gafaig-badge-target", {
    registryId: "GAFAIG-00363095",
    baseUrl: "https://www.gafaig.com"
  });
</script>

Read badge JSON

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<script>
  gafaig
    .getBadge("GAFAIG-00363095", {
      baseUrl: "https://www.gafaig.com"
    })
    .then(console.log);
</script>

WIDGET

Render the full trust widget

The widget is a richer trust surface. It fetches the verify endpoint, renders record status, signature state, payload integrity, and links to the registry and raw verification JSON.

Render widget via SDK (recommended)

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<div data-gafaig-id="GAFAIG-00363095"></div>

Auto-render compact widget

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<div
  data-gafaig-id="GAFAIG-00363095"
  data-mode="badge"
></div>

MODAL

Open verification modal (SDK-controlled)

The verification modal allows third-party sites to show GAFAIG verification details without navigating away from the page.

Auto-bind modal button

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>
<script src="https://www.gafaig.com/widget/gafaig-verify.v1.js"></script>

<button data-gafaig-open-verify="GAFAIG-00363095">
  Verify this GAFAIG record
</button>

<script>
  gafaig.init();
</script>

Open modal manually

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>
<script src="https://www.gafaig.com/widget/gafaig-verify.v1.js"></script>

<button id="open-gafaig-verify">
  Verify this GAFAIG record
</button>

<script>
  document
    .getElementById("open-gafaig-verify")
    .addEventListener("click", function () {
      gafaig.openVerify("GAFAIG-00363095", {
        baseUrl: "https://www.gafaig.com"
      });
    });
</script>

EXTERNAL TEST

Test GAFAIG on a third-party page

This minimal HTML file simulates an external website using GAFAIG’s versioned SDK and modal runtime.

Standalone external embed test

HTML

<!DOCTYPE html>
<html>
  <body>
    <h1>GAFAIG External Embed Test</h1>

    <div data-gafaig-badge="GAFAIG-00363095"></div>

    <button data-gafaig-open-verify="GAFAIG-00363095">
      Open Verification Modal
    </button>

    <script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>
    <script src="https://www.gafaig.com/widget/gafaig-verify.v1.js"></script>

    <script>
      gafaig.init({
        baseUrl: "https://www.gafaig.com"
      });
    </script>
  </body>
</html>

PUBLIC CONTRACT

What the public layer exposes

GAFAIG exposes only the certification outcome, public record fields, lifecycle and eligibility flags, and verification proof. Internal scoring, workflow, decision, and reviewer materials are not part of the public contract.

Public fields

registryId, registrySnapshotId, applicationId, caseId, entityName, entityType, country, certificationStatus, lifecycleStatus, visibilityStatus, verificationEligible, badgeEligible, validFrom, validTo, certifiedAt, publishedAt, and proof.

Private fields

Raw score, scoring breakdowns, reviewer materials, internal workflow state, raw findings, and evidence do not belong in the public trust layer.

RAW API

Use the verify, badge, and public key endpoints directly

For advanced integrations, call the public API endpoints directly. The SDK and widget are convenience layers on top of the same public contracts.

Fetch a verification record

cURL

curl https://www.gafaig.com/api/verify/GAFAIG-00363095

Fetch badge data

cURL

curl https://www.gafaig.com/api/badge/GAFAIG-00363095

Fetch public verification key

cURL

curl https://www.gafaig.com/api/.well-known/gafaig-public-key

Read public proof in JavaScript

JavaScript

const response = await fetch(
  "https://www.gafaig.com/api/verify/GAFAIG-00363095",
  { cache: "no-store" }
);

const data = await response.json();

const messageString = data.proof.messageString;
const signature = data.proof.signature;
const publicKeyUrl = data.proof.verificationKeyUrl;

console.log(messageString);
console.log(signature);
console.log(publicKeyUrl);

PROOF OBJECT

The signed payload you verify

The record object is for display. The proof object is the trust layer. Signature validation depends on messageString, signature, key ID, algorithm, and the public key endpoint.

Example verify response shape

JSON

{
  "ok": true,
  "verified": true,
  "registryId": "GAFAIG-00363095",
  "record": {
    "registryId": "GAFAIG-00363095",
    "registrySnapshotId": "REG-SNAP-...",
    "applicationId": "APP-DEMO-0001",
    "caseId": "CASE-0001",
    "entityName": "OpenAI Enterprise Demo Org",
    "entityType": "company",
    "country": "United States",
    "certificationStatus": "CERTIFIED",
    "certifiedAt": "2026-04-21T12:37:57.000Z",
    "validFrom": "2026-04-15T00:00:00.000Z",
    "validTo": "2027-04-15T10:20:24.000Z",
    "lifecycleStatus": "active",
    "visibilityStatus": "public",
    "verificationEligible": true,
    "badgeEligible": true
  },
  "proof": {
    "alg": "Ed25519",
    "kid": "gafaig-ed25519-2026-01",
    "signature": "<base64-signature>",
    "signedAt": "<iso-timestamp>",
    "verificationKeyUrl": "https://www.gafaig.com/api/.well-known/gafaig-public-key",
    "message": {
      "registryId": "GAFAIG-00363095",
      "entityName": "OpenAI Enterprise Demo Org",
      "certificationStatus": "CERTIFIED",
      "certifiedAt": "2026-04-21T12:37:57.000Z",
      "validFrom": "2026-04-15T00:00:00.000Z",
      "validTo": "2027-04-15T10:20:24.000Z"
    },
    "messageString": "{\"registryId\":\"GAFAIG-00363095\",...}"
  }
}

Trust depends on the proof object, not UI rendering.

The signed payload is proof.messageString exactly as returned by the API.

External systems must treat messageString as the canonical input to signature verification.

SDK, widget, badge, and modal bindings are thin consumers of verify and badge endpoints and never compute trust.

FAILURE MODES

Handle invalid and unavailable verification states explicitly

A professional trust integration must fail safely. GAFAIG surfaces invalid, unavailable, expired, and revoked states so downstream systems do not mistake UI availability for trust.

Failure modes

TEXT

Failure modes external systems must handle:

1. Missing messageString
   Treat as invalid. Do not reconstruct the payload.

2. Missing signature
   Treat as invalid. No cryptographic proof is available.

3. Public key unavailable
   Treat as verification unavailable.

4. Signature mismatch
   Treat as invalid. Payload integrity failed.

5. Expired certification
   Verification may still prove authenticity, but the lifecycle state must be displayed as expired.

6. Revoked certification
   Verification may still prove authenticity, but the lifecycle state must be displayed as revoked.

Missing messageString means verification is invalid. Do not reconstruct a payload.

Missing signature means no cryptographic proof is available.

Public key failure means verification is unavailable until the key can be fetched.

Expired or revoked records must be displayed according to lifecycleStatus even if the signature proves authenticity.

INTEGRATION PATHS

Choose the trust surface you need

GAFAIG supports multiple ways to distribute trust depending on your product, audience, and verification needs.

Badge

A lightweight trust signal for external pages, partner sites, and product footers.

Widget

A richer public trust panel with record status, signature state, payload integrity, and verification links.

Modal

Inline verification without sending users away from a third-party page.

Verify API

Raw machine-readable record and proof data for custom integrations.

Test Verify Open Registry Preview Widget

WHY THIS MATTERS

Verification without private disclosure

GAFAIG enables organizations to prove certified AI governance without exposing internal systems. This makes trust portable while preserving confidentiality.

Internal governance review stays in the private verification engine.

The public layer exposes only certified outcomes and proof needed to verify them.

Trust can be validated outside GAFAIG using the signed payload and public key.

The same public trust signal can appear on registry pages, APIs, badges, widgets, SDK integrations, and external websites.