DEVELOPERS

Integrate deterministic AI governance proof

GAFAIG gives developers a deterministic way to integrate independently verifiable AI governance trust signals into external products, websites, platforms, and governance systems. Developers can fetch published certification surfaces, inspect signed verification proof, and validate public governance trust without accessing private governance materials.

The SDK, widgets, badges, modals, and APIs are distribution layers over GAFAIG’s public verification infrastructure. They do not compute trust. External systems must verify the exact proof.messageString returned by the verification endpoint using the signature and GAFAIG public key.

Open Verification Surface Browse Registry View Widget Preview Public Key

FAST INSTALL

Add GAFAIG to your site in under 30 seconds

Copy and paste this snippet to display a GAFAIG public governance trust signal for a published certification surface on your site. The widget renders GAFAIG verification output; it does not compute trust in the browser. Published public governance trust surfaces are available only after completion of the GAFAIG governance review and certification process and after explicit publication is elected.

Paste into your HTML

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<div data-gafaig-id="GAFAIG-00000001"></div>

See it live Full integration guide

Page Navigation

Jump to a developer surface

This page is intentionally comprehensive. Use these shortcuts to move directly to the live console, install snippets, proof rules, widgets, API contracts, and failure-state guidance.

API Console Live Preview messageString Rule Install Badge Widget Modal External Test Public Contract Public API Verification Proof Failure Modes Integration Paths

START HERE

Use versioned SDK and widget files

Production integrations should use versioned GAFAIG files. Versioned files are pinned production contracts for public governance trust distribution. Latest aliases are convenience entry points that may evolve. Use v1 files for any external customer, partner, or production website.

Step 1

Load versioned files

Use /sdk/gafaig.v1.js as the primary production integration. Use /widget/gafaig-widget.v1.js and /widget/gafaig-verify.v1.js only for direct or advanced embeds.

Step 2

Embed a trust surface

Add a badge, widget, or verification modal using a REGISTRY_ID issued by GAFAIG.

Step 3

Verify independently

Use the verification endpoint, exact messageString, signature, and public key to validate the public certification surface.

Versioned files are stable production contracts

Use versioned files for production embeds. v1 files are behavior-stable for existing integrations. Bug fixes may be applied, but external production integrations should pin to v1 until a future version is explicitly released.

Latest aliases can evolve

The unversioned files remain available as latest builds. They may receive newer behavior before a future pinned version is introduced. Do not rely on latest aliases for third-party production stability.

Production-stable versioned files

TEXT

Production-stable versioned files:

Primary SDK:
https://www.gafaig.com/sdk/gafaig.v1.js

Optional advanced UI runtimes:
https://www.gafaig.com/widget/gafaig-widget.v1.js
https://www.gafaig.com/widget/gafaig-verify.v1.js

Use the SDK as the recommended production entry point. Use the widget and modal runtime files only for direct or advanced embeds.

Latest aliases

TEXT

Latest aliases:

https://www.gafaig.com/sdk/gafaig.js
https://www.gafaig.com/widget/gafaig-widget.js
https://www.gafaig.com/widget/gafaig-verify.js

These aliases point to the latest build and may change behavior. Use for testing, internal previews, or controlled rollouts only.

Trust Source

/api/verify

The verification endpoint remains the canonical public verification source for published certification surfaces.

Stable SDK

/sdk/gafaig.v1.js

The versioned SDK is the recommended production integration file.

Signature Algorithm

Ed25519

Every public proof is signed and can be validated with the public key endpoint.

Verification Playground

Live API console for GAFAIG records

Enter a registry ID, call the public verification endpoint, inspect the certified record, review the signed payload, and copy production integration code.

Ready

Method

GET

HTTP status

—

Latency

—

LIVE PREVIEW

See the versioned embed working live

This preview uses the production-stable versioned widget file. The widget renders the public verification response for the demo GAFAIG certification surface. Trust is not computed in the browser; it is projected from GAFAIG’s public verification infrastructure.

Live widget

Trust interpretation

What this live public governance trust widget displays

The widget is a display layer only. It does not compute trust, certify systems, or reconstruct proof. It renders the public verification response returned by GAFAIG.

Certified (Published)

This certification surface completed the GAFAIG governance review and certification process and was explicitly published to the public certification registry.

Signature Valid

The cryptographic signature matches the published public key.

Canonical Payload Verified

The signed payload has not been altered before display.

messageString available

External systems can independently verify the record using the exact messageString returned by /api/verify.

What creates trust

/api/verify returns the canonical record and proof.
proof.messageString is the exact canonical signed public payload.
proof.signature is the cryptographic signature.
/api/.well-known/gafaig-public-key exposes the verification key.
Public certification surfaces exist only after deterministic governance review and explicit publication.

Verification MUST use the exact messageString returned by the API. Never reconstruct it.

Open Verification Surface View Proof JSON

CANONICAL VERIFICATION RULE

Verify the exact messageString. Never reconstruct it.

The canonical signed payload is proof.messageString. It must be verified exactly as returned by /api/verify. Reconstructing payloads from record fields, proof.message, UI values, or reordered JSON is forbidden and must be treated as invalid verification behavior.

Correct

Fetch /api/verify/[registryId], read proof.messageString, read proof.signature, fetch the public key, and verify the exact messageString bytes against the signature.

Incorrect

Do not rebuild the payload from JSON fields, change timestamp formats, stringify proof.message yourself, reorder keys, or normalize the string before verification.

Canonical verification rule

TEXT

Verification MUST use proof.messageString exactly as returned.

Do not:
- rebuild messageString from record fields
- stringify proof.message yourself
- reorder JSON keys
- change timestamp formats
- trim or normalize the payload before verification

Use:
- proof.messageString
- proof.signature
- public key from proof.verificationKeyUrl

INSTALL

Install the GAFAIG SDK (recommended)

Start with the versioned SDK. This is the recommended production integration path for GAFAIG public governance trust distribution. All widgets, badges, and modals should be used through the SDK unless you have a specific advanced requirement.

Recommended: Install SDK

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

ADVANCED

Optional runtime files (advanced use only)

These files are not required for most integrations. Only use them if you are building custom UI layers outside the SDK.

Do not use advanced runtimes by default

Direct widget and modal runtime files bypass the SDK abstraction layer. This increases integration complexity and should only be used in controlled or custom environments.

Install SDK + verification modal

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>
<script src="https://www.gafaig.com/widget/gafaig-verify.v1.js"></script>

BADGE

Render a GAFAIG badge

The badge is a lightweight trust signal that links to the verification surface. It respects lifecycle and badge eligibility from the public badge API.

Auto-render a badge

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<div data-gafaig-badge="GAFAIG-00000001"></div>

Render badge manually

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<div id="gafaig-badge-target"></div>

<script>
  gafaig.badge("#gafaig-badge-target", {
    registryId: "GAFAIG-00000001",
    baseUrl: "https://www.gafaig.com"
  });
</script>

Read badge JSON

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<script>
  gafaig
    .getBadge("GAFAIG-00000001", {
      baseUrl: "https://www.gafaig.com"
    })
    .then(console.log);
</script>

WIDGET

Render the full trust widget

The widget is a richer public governance trust surface. It fetches the verification endpoint, renders certification status, signature state, canonical payload integrity, and links to the registry and signed proof JSON.

Render widget via SDK (recommended)

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<div data-gafaig-id="GAFAIG-00000001"></div>

Auto-render compact widget

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<div
  data-gafaig-id="GAFAIG-00000001"
  data-mode="badge"
></div>

MODAL

Open Verification Surface Modal (SDK-controlled)

The verification modal allows third-party sites to show GAFAIG verification details without navigating away from the page.

Auto-bind modal button

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>
<script src="https://www.gafaig.com/widget/gafaig-verify.v1.js"></script>

<button data-gafaig-open-verify="GAFAIG-00000001">
  Verify this GAFAIG record
</button>

<script>
  gafaig.init();
</script>

Open modal manually

HTML

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>
<script src="https://www.gafaig.com/widget/gafaig-verify.v1.js"></script>

<button id="open-gafaig-verify">
  Verify this GAFAIG record
</button>

<script>
  document
    .getElementById("open-gafaig-verify")
    .addEventListener("click", function () {
      gafaig.openVerify("GAFAIG-00000001", {
        baseUrl: "https://www.gafaig.com"
      });
    });
</script>

EXTERNAL TEST

Test GAFAIG on a third-party page

This minimal HTML file simulates an external website using GAFAIG’s versioned SDK and modal runtime.

Standalone external embed test

HTML

<!DOCTYPE html>
<html>
  <body>
    <h1>GAFAIG External Embed Test</h1>

    <div data-gafaig-badge="GAFAIG-00000001"></div>

    <button data-gafaig-open-verify="GAFAIG-00000001">
      Open Verification Modal
    </button>

    <script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>
    <script src="https://www.gafaig.com/widget/gafaig-verify.v1.js"></script>

    <script>
      gafaig.init({
        baseUrl: "https://www.gafaig.com"
      });
    </script>
  </body>
</html>

PUBLIC CONTRACT

What the public layer exposes

GAFAIG exposes only published certification outcomes, public certification surface fields, lifecycle state, eligibility signals, and verification proof. Internal scoring, workflow, decision, reviewer materials, and private governance telemetry are not part of the public contract.

Public fields

Published certification surface fields, lifecycle state, registry identifiers, eligibility flags, and cryptographic proof required for independent verification. These fields appear only after certification is finalized and publication is explicitly elected.

Private fields

Raw score, scoring breakdowns, reviewer materials, internal workflow state, raw findings, evidence, governance telemetry, and private operational records do not belong in the public trust layer.

PUBLIC API

Use the verification, badge, and public key endpoints directly

For advanced integrations, call the public API endpoints directly. The SDK and widget are convenience layers on top of the same public contracts.

Fetch a verification surface

cURL

curl https://www.gafaig.com/api/verify/GAFAIG-00000001

Fetch badge data

cURL

curl https://www.gafaig.com/api/badge/GAFAIG-00000001

Fetch public verification key

cURL

curl https://www.gafaig.com/api/.well-known/gafaig-public-key

Read proof and public key with SDK

JavaScript

<script src="https://www.gafaig.com/sdk/gafaig.v1.js"></script>

<script>
  async function verifyGAFAIGRecord() {
    const result = await gafaig.verify("GAFAIG-00000001", {
      baseUrl: "https://www.gafaig.com"
    });

    const publicKey = await gafaig.getPublicKey({
      baseUrl: "https://www.gafaig.com"
    });

    const messageString = result.proof.messageString;
    const signature = result.proof.signature;

    console.log(result);
    console.log(publicKey);
    console.log(messageString);
    console.log(signature);
  }

  verifyGAFAIGRecord();
</script>

VERIFICATION PROOF

The canonical signed public payload you verify

The record object is for display. The proof object is the verification layer. Signature validation depends on proof.messageString, signature, key ID, algorithm, and the public key endpoint.

Example verify response shape

JSON

{
  "ok": true,
  "verified": true,
  "registryId": "GAFAIG-00000001",
  "record": {
    "registryId": "GAFAIG-00000001",
    "registrySnapshotId": "REG-SNAP-...",
    "applicationId": "APP-DEMO-0001",
    "caseId": "CASE-0001",
    "entityName": "OpenAI Enterprise Demo Org",
    "entityType": "company",
    "country": "United States",
    "certificationStatus": "CERTIFIED",
    "certifiedAt": "2026-04-21T12:37:57.000Z",
    "validFrom": "2026-04-15T00:00:00.000Z",
    "validTo": "2027-04-15T10:20:24.000Z"
  },
  "proof": {
    "alg": "Ed25519",
    "kid": "gafaig-ed25519-2026-01",
    "signature": "<base64-signature>",
    "signedAt": "<iso-timestamp>",
    "verificationKeyUrl": "https://www.gafaig.com/api/.well-known/gafaig-public-key",
    "message": {
      "registryId": "GAFAIG-00000001",
      "entityName": "OpenAI Enterprise Demo Org",
      "certificationStatus": "CERTIFIED",
      "certifiedAt": "2026-04-21T12:37:57.000Z",
      "validFrom": "2026-04-15T00:00:00.000Z",
      "validTo": "2027-04-15T10:20:24.000Z"
    },
    "messageString": "{\"registryId\":\"GAFAIG-00000001\",...}"
  }
}

Trust depends on the verification proof object, not UI rendering.

The canonical signed payload is proof.messageString exactly as returned by the API.

External systems must treat messageString as the canonical input to signature verification.

SDK, widget, badge, and modal bindings are thin consumers of verification and badge endpoints and never compute trust.

FAILURE MODES

Handle invalid and unavailable verification states explicitly

A professional verification integration must fail safely. GAFAIG surfaces invalid, unavailable, expired, and revoked states so downstream systems do not mistake UI availability for verified public governance trust.

Failure modes

TEXT

Failure modes external systems must handle:

1. Missing messageString
   Treat as invalid. Do not reconstruct the payload.

2. Missing signature
   Treat as invalid. No cryptographic proof is available.

3. Public key unavailable
   Treat as verification unavailable.

4. Signature mismatch
   Treat as invalid. Payload integrity failed.

5. Expired certification
   Verification may still prove authenticity, but the lifecycle state must be displayed as expired.

6. Revoked certification
   Verification may still prove authenticity, but the lifecycle state must be displayed as revoked.

Missing messageString means verification is invalid. Do not reconstruct a payload.

Missing signature means no cryptographic proof is available.

Public key failure means verification is unavailable until the key can be fetched.

Expired or revoked published records must be displayed according to the public verification response even if the signature proves authenticity.

INTEGRATION PATHS

Choose the trust surface you need

GAFAIG supports multiple ways to distribute public governance trust signals depending on your product, audience, and verification needs.

Badge

A lightweight trust signal for external pages, partner sites, and product footers.

Widget

A richer public governance trust panel with certification surface status, signature state, payload integrity, and verification links.

Modal

Inline verification without sending users away from a third-party page.

Verification API

Machine-readable published certification surface and signed verification proof data for custom integrations.

Test Verify Open Registry Preview Widget

WHY THIS MATTERS

Public verification without private disclosure

GAFAIG enables organizations to publish independently verifiable AI governance certification surfaces without exposing internal systems. This makes public governance trust portable while preserving confidentiality. Publication is explicit and controlled. Organizations do not become publicly visible automatically after application submission.

Internal governance review stays in the private verification engine.

The public governance trust layer exposes only published certification outcomes and proof needed to verify them.

Trust can be validated outside GAFAIG using the signed payload and public key.

The same public governance trust signal can appear on registry pages, APIs, badges, widgets, SDK integrations, and external websites.

Application submission alone does not create a public governance trust surface. Certification, publication, and verification are separate deterministic stages.