The product
Root Herald is a device attestation API.
Your dumb client collects device evidence before a signup, claim, vote, or free-tier grant and hands it to your server; your backend calls rh.verify() server→server to get the verdict back directly. We return whether the request came from a real, distinct, untampered device, backed by the TPM or Secure Enclave the OS already ships. That's the whole product.
In the box
What you get on day one.
rh.verify()
One server→server call returns an AttestationVerdict: device.ueid, verdict, earStatus, acr, and a trustworthiness vector. Same wire contract from every SDK; a portable token (verifyAttestationToken) is there for the badge tier.
Bindings for every surface (rolling out)
Server bindings — @rootherald/node is available today; .NET, Go, Java, Ruby, Python are rolling out. Client collectors for desktop, mobile, and game engines are rolling out too: native C/C++ in development, browser/React and iOS/Android coming soon, Unity/Unreal documented. One contract behind all of them.
Developer portal
Usage, API keys, policy editor, event tail, billing. Every list shows the API call that does the same thing in code.
Included on every tier
What works out of the box, no upcharge.
Tier upgrades
Unlock with Pro, Business, or Enterprise.
Full tier breakdown — including overage rates and what counts as an attestation — on the pricing page. Out-of-band webhook event delivery is on the roadmap, not shipping yet.
Capability spotlight
Cohort prevalence — 'unusual for its kind', as an additive signal.
The explicit checks (Secure Boot, dbx revocation, real-hardware TPM class, EAR status) remain the gate. Cohort prevalence adds one optional signal on top: how common a device's boot configuration is among devices like it, counted by distinct real TPMs. It is a named claim plus a policy minimum, never a rolled-up trust score.
It can only tighten
Evaluated after the explicit checks pass. Prevalence can add a reason to reject; it can never let a device bypass an explicit requirement. It catches “unusual for its kind,” not tampering.
New firmware is novel
A brand-new build is legitimately novel until adoption grows, so the default is advisory, never a silent reject. Even enforcement-failed but authentic attestations count, so a config self-heals into prevalence as real devices adopt it.
Fleet or global
Hard-gate against your own managed fleet (an empirical golden image) or read the global model-cohort advisory. Counted with distinct-device estimators that store no identifiers.
Full claim shapes, policy fields, and cold-start behavior are in the cohort-prevalence reference.
How it ships
One product, many surfaces.
API gateway
A single HTTPS endpoint fronts our verifier microservices, policy engine, and trust-anchor store. You see one URL, one contract, one set of error codes.
Browser extension
An MV3 extension bridges browser-based flows to the TPM via a local helper, so the page collects evidence and your backend brokers the verify. No SDK in your front-end and no keys on the client.
One verify call. A hardware fact under everything you build next.
Free up to 10K attestations a month, no card.