Verifying Turtini PDFs from your own systems (verifyPdf API)

If you receive Turtini-issued PDFs in an automated workflow (procurement intake, contract management, audit pipeline, compliance bot), you can verify them programmatically without using the in-browser /verify page or our Firestore SDK.

Endpoint:
The verifyPdf Cloud Function is publicly callable — no authentication required. The URL is:

https://verifypdf-<hash>-uc.a.run.app

(For your project's exact URL, deploy logs print it after the first deploy, or look it up in the Cloud Run console under the verifypdf service.)

Three call shapes:

1. POST a known hash (cheapest — no upload):
curl -X POST https://verifypdf-<hash>-uc.a.run.app \
-H 'Content-Type: application/json' \
-d '{"hash":"<sha256-hex>"}'

2. POST the file directly (server hashes it):
curl -X POST https://verifypdf-<hash>-uc.a.run.app \
-F [email protected]
(Max 25 MB per request.)

3. GET with a hash (convenience for one-off scripts):
curl 'https://verifypdf-<hash>-uc.a.run.app?hash=<sha256-hex>'

Response (always 200 if the request was well-formed):
{
"status": "authentic" | "revoked" | "unknown",
"verifyUrl": "https://turtini.com/verify/{id}",
"id": "...",
"title": "Quote Q-1042 for Acme",
"docType": "quote" | "invoice" | "contract" | ...,
"orgId": "...",
"orgName": "Issuing Org Inc.",
"orgLogoUrl": "...",
"issuerName": "Jane Doe",
"issuedAt": "2026-04-12T18:23:00Z",
"contentHash": "...",
"fileSize": 12345,
"revoked": false,
"revokedReason": null
}

unknown — the hash isn't in the registry. Either the file was modified after issuance, or it wasn't generated through Turtini.

revoked — issued by the org but explicitly revoked by an admin (typically superseded by a newer version). The bytes still match the original; the issuer has flagged it as not authoritative.

Errors are 4xx with { "error": "...", "code": "..." } — common codes are missing_hash, bad_hash (must be 64-char hex), file_too_large (over 25 MB), and method_not_allowed.

CORS:
The endpoint sets Access-Control-Allow-Origin: * so you can call it from any web page. Browser GET / POST without credentials works without preflight.

Best practice:
For production audit pipelines, hash files yourself and POST the hash — it's faster, cheaper (no upload), and your bytes never leave your network. Reserve the multipart upload form for ad-hoc verification of a single suspect file.