Skip to content

The product

Root Herald is a device attestation API.

Your dumb client collects device evidence before a signup, claim, vote, or free-tier grant and hands it to your server; your backend calls rh.verify() server→server to get the verdict back directly. We return whether the request came from a real, distinct, untampered device, backed by the TPM or Secure Enclave the OS already ships. That's the whole product.

In the box

What you get on day one.

Verifier API

rh.verify()

One server→server call returns an AttestationVerdict: device.ueid, verdict, earStatus, acr, and a trustworthiness vector. Same wire contract from every SDK; a portable token (verifyAttestationToken) is there for the badge tier.

SDKs

Bindings for every surface (rolling out)

Server bindings — @rootherald/node is available today; .NET, Go, Java, Ruby, Python are rolling out. Client collectors for desktop, mobile, and game engines are rolling out too: native C/C++ in development, browser/React and iOS/Android coming soon, Unity/Unreal documented. One contract behind all of them.

Dashboard

Developer portal

Usage, API keys, policy editor, event tail, billing. Every list shows the API call that does the same thing in code.

Capability spotlight

Cohort prevalence — 'unusual for its kind', as an additive signal.

The explicit checks (Secure Boot, dbx revocation, real-hardware TPM class, EAR status) remain the gate. Cohort prevalence adds one optional signal on top: how common a device's boot configuration is among devices like it, counted by distinct real TPMs. It is a named claim plus a policy minimum, never a rolled-up trust score.

Additive only

It can only tighten

Evaluated after the explicit checks pass. Prevalence can add a reason to reject; it can never let a device bypass an explicit requirement. It catches “unusual for its kind,” not tampering.

Honest cold start

New firmware is novel

A brand-new build is legitimately novel until adoption grows, so the default is advisory, never a silent reject. Even enforcement-failed but authentic attestations count, so a config self-heals into prevalence as real devices adopt it.

Two scopes · private

Fleet or global

Hard-gate against your own managed fleet (an empirical golden image) or read the global model-cohort advisory. Counted with distinct-device estimators that store no identifiers.

Full claim shapes, policy fields, and cold-start behavior are in the cohort-prevalence reference.

How it ships

One product, many surfaces.

API gateway

A single HTTPS endpoint fronts our verifier microservices, policy engine, and trust-anchor store. You see one URL, one contract, one set of error codes.

Browser extension

An MV3 extension bridges browser-based flows to the TPM via a local helper, so the page collects evidence and your backend brokers the verify. No SDK in your front-end and no keys on the client.

One verify call. A hardware fact under everything you build next.

Free up to 10K attestations a month, no card.