Authorized Verification

Every Lyrics D.N.A™ certificate carries the same 9-layer tamper-evidence stack (Tier 1a+Tier 1b PAdES B-LTA signatures, DocMDP+SigFieldLock, 11 RFC 3161 timestamps, Polygon/Ethereum/Bitcoin/Arweave/IPFS anchors, ML-DSA-65 post-quantum signature, hourly Merkle-root publication). We expose that evidence through three tiers scaled to the verifier's authority, balancing independent verifiability with data-principal privacy under DPDP Act 2023.

Endpoint

GET https://verify.talantoncore.in/api/verify/{certificateId}

Returns

• Claimant display name + work title (the signer consented to publication when issuing)
• Issue date, verified-count, trust level, TSA + blockchain confirmations, KYC level summary
• Tier 1a + Tier 1b signing-chain metadata (issuer CNs, PAdES level)

Does NOT return

• Claimant email, phone, Aadhaar, PAN, KYC reference ID
• Full lyrics text, audio bytes, or any content beyond hashes

Rate-limited to 60 req/hour/IP; HMAC-token bypass for authenticated QR-scan flows.

Endpoints

GET  https://verify.talantoncore.in/api/verify-private/{certificateId}
POST https://verify.talantoncore.in/api/verify-private/reverse-lookup
     Body: { "hashType": "lyrics|audio|fingerprint|pdf", "hashValue": "<sha256-hex>" }

Returns

• All commitments (SHA-256): lyricsHash, audioHash, fingerprintHash, pdfHash, merkleRoot
• Full signing-chain + PAdES + DocMDP + SigFieldLock metadata
• Post-quantum signature status + pubkey fingerprint (match against /.well-known/platform-pq-pubkey)
• Blockchain anchors with explorer URLs (Polygon, Ethereum, Bitcoin, Arweave, IPFS)
• RFC 3161 TSA authorities verified (11 possible, including 3 eIDAS Qualified)

Intended verifiers

• CBI, State police cyber cells, MHA
• Copyright Board, Intellectual Property Appellate Board
• Court-appointed technical auditors
• Foreign enforcement under MLAT requests

Rate-limited to 20 req/hour/IP; every access audit-logged with IP, UA, certificateId, and (for reverse-lookup) match outcome. Abuse patterns automatically flagged for review. Officers are encouraged to identify themselves in the User-Agent header — this helps us whitelist legitimate investigations and review suspicious ones faster.

Offline replay — what Tier 2 enables

Combined with our published public keys (/.well-known/platform-ca-pem, /.well-known/platform-pq-pubkey), a Tier 2 response is sufficient for an auditor to perform a complete end-to-end integrity check without trusting SwaLay: verify the PAdES chain against CCA + internal CA, the PQ signature against the published ML-DSA-65 pubkey, the blockchain anchors against the respective chain explorers, and the RFC 3161 timestamps against each TSA's own verification tooling.

Trigger

• Signed order from a court of competent jurisdiction, OR
• Formal request under CrPC §91 / BNSS §94 from an authorized officer, OR
• MLAT request via designated Central Authority for foreign proceedings

Process

1. Email legal@talantoncore.in with the signed order + officer ID + specific certificate IDs.
2. DPO (Data Protection Officer) triage within 48 hours — verifies authority + scope under DPDP Act 2023 §8 (purpose limitation).
3. If approved, SwaLay issues a time-limited signed URL (30-day expiry) releasing the requested PII. Access is scoped to the minimum fields specified in the order.
4. The data principal is notified within 72 hours, unless the court order includes a gag clause.
5. Every Tier 3 release is audit-logged (tier3.data_reveal_authorized) and reported in our annual DPDP transparency report.

What Tier 3 can reveal (if ordered)

• Claimant full name, email, phone
• KYC reference ID and document type (Aadhaar / PAN / Passport)
• Raw lyrics text (from IPFS + Arweave archive)
• Full audit trail: IP history, session log, OTP history

Verbal requests, threats, or pressure tactics are logged + ignored. Every release is court-documented or nothing is released.