APIs for AI-assisted print attestation, watermarking, and audit evidence.

3DCIPHER integrates AI workflows with slicer hosts, printer daemons, quality systems, customer archives, and audit exporters. This page documents the public shape of the API: authentication, headers, idempotency, core endpoints, request examples, response examples, and package delivery rules.

start quickstart request OpenAPI bundle

auth quickstart Vault3D MeshGuard TwinCert AI services errors schemas SDKs

$auth

Authentication and request rules.

Production deployments authenticate service calls with mutual TLS and customer-issued workload identities. Operator-triggered actions also bind to the customer's IdP session and role policy. Verification calls are intentionally local-first and can run against a signed manifest snapshot.

topic	requirement	notes
base URL	`https://<customer-api>/api`	Customer-specific; local printer daemons usually bind to a private network address.
transport	mTLS	Client certificate maps to workload identity and allowed endpoint group.
content type	`application/json` or canonical CBOR	Bundle payloads use canonical CBOR in production; JSON examples below are readable equivalents.
idempotency	`Idempotency-Key` for mutating calls	Required for bundle creation, watermark embedding, certificate issuance, and audit export.
manifest freshness	deployment policy, default 24h	Signing fails closed when the manifest is stale; verification can still run in offline mode.

$quickstart

Minimal signed-print flow.

A typical integration signs the print bundle first, then creates a TwinCert record that references the bundle. MeshGuard is inserted before slicing when provenance needs to survive CAD distribution or physical-part scanning.

# 1. Sign the as-built bundle on the printer host.
$ curl --cert workload.pem --key workload-key.pem \
  -H 'Content-Type: application/json' \
  -H 'Idempotency-Key: print-2026-05-22-bay-a4-0007' \
  -d @bundle.json \
  https://printer-a4.local/api/v3/bundles

# 2. Issue the TwinCert record from the quality system.
$ curl --cert qms.pem --key qms-key.pem \
  -H 'Content-Type: application/json' \
  -H 'Idempotency-Key: twc-WA-BRK-001-041873' \
  -d @twincert.json \
  https://qms-api.customer.example/api/v2/certificates

# 3. Verify the exported audit package offline.
$ 3dc verify audit-package WA-BRK-001-041873.tgz --manifest manifest.json

$vault3d

Vault3D API.

Vault3D endpoints run on or near the printer host. They create and verify as-built bundles and expose machine posture for the customer console.

endpoint	caller	purpose
`POST /v3/bundles`	slicer or printer daemon	Create signed as-built bundle.
`GET /v3/bundles/{bundle_id}`	archive, audit builder	Fetch full bundle and signature.
`POST /v3/verify`	receiving site, verifier	Verify bundle against manifest.
`GET /v3/posture`	console, SIEM collector	Read firmware, HSM, manifest, and signing state.

# POST /v3/bundles request body, JSON equivalent of canonical CBOR
{
  "printer_id": "BAY-A4-PRINTER-07",
  "gcode_sha256": "4b9c7a3f81e2...d871a07",
  "slicer_attest": { "name": "PrusaSlicer", "build_sha256": "0c91...77fa" },
  "firmware_sha256": "9f20...ab42",
  "operator_binding": { "idp": "customer-okta", "subject": "00u...7a" },
  "sensor_envelope_sha256": "d881...20fe",
  "twincert_ref": "twc-2026-05-19-aa70"
}

# response
{
  "bundle_id": "bd-2026-05-19T08:42:09Z-7a3f",
  "signed_at": "2026-05-19T08:42:10.118Z",
  "machine_counter": 184221,
  "signature": "ed25519:MEUCIQD...",
  "manifest_rev": "current"
}

$meshguard

MeshGuard API.

MeshGuard endpoints run where CAD is distributed or where receiving sites scan meshes and physical parts. The embed endpoint returns a watermarked mesh artifact; detection returns a confidence score and payload binding.

# POST /v1/watermarks/embed
{
  "mesh_ref": "s3://cad/WA-BRK-001-r12.stl",
  "payload": {
    "customer_id": "cust-warwick-aero-2024",
    "part_class": "WA-BRK-001",
    "licensee": "licensed-site-03",
    "nonce": "2026-05-22-0007"
  },
  "max_vertex_displacement_um": 12
}

# response
{
  "payload_id": "mgp-2026-05-22-7d31",
  "watermarked_mesh_ref": "s3://cad-out/WA-BRK-001-r12-mgp-7d31.3mf",
  "payload_signature": "ed25519:MC0CF...",
  "detector_threshold": 0.93
}

# POST /v1/watermarks/detect response
{ "match": true, "score": 0.9821, "payload_id": "mgp-2026-05-22-7d31" }

$twincert

TwinCert API.

TwinCert endpoints are called by quality systems after manufacture and by audit-builder daemons during evidence export.

# POST /v2/certificates
{
  "identity": {
    "part_class": "WA-BRK-001",
    "serial": "WA-BRK-001-041873",
    "manufactured_at": "2026-05-19T08:42:09Z"
  },
  "as_built": {
    "bundle_ref": "bd-2026-05-19T08:42:09Z-7a3f",
    "bundle_sha256": "4b9c7a3f81e2...d871a07"
  },
  "conformance": [
    { "type": "dimensional", "inspection_ref": "insp-2026-05-19-114", "result": "pass" }
  ],
  "retention": { "policy": "25y-aerospace", "earliest_destroy": "2051-05-19" }
}

# response
{
  "certificate_id": "twc-2026-05-19-aa70",
  "signed_at": "2026-05-19T08:43:14.022Z",
  "signature": "ed25519:MEQCIB...",
  "audit_package_hint": "/v2/audit-packages?serial=WA-BRK-001-041873"
}

$ai-services

AI service endpoints.

AI endpoints prepare evidence, classify anomalies, and draft audit summaries. They do not replace signatures, manifests, or customer approval policy.

# POST /v1/ai/evidence/extract
{
  "source_refs": ["inspection://insp-2026-05-19-114", "lot://LPW-T64-2026-031"],
  "target_schema": "twincert-v2",
  "review_policy": "quality-owner-required"
}

# response
{
  "draft_id": "aidraft-2026-05-22-19a0",
  "fields": [{ "path": "composition.feedstock_lot", "value": "LPW-T64-2026-031", "confidence": 0.97 }],
  "requires_review": true
}

# POST /v1/ai/anomalies/score
{ "bundle_id": "bd-2026-05-19T08:42:09Z-7a3f", "profile": "aerospace-production" }

$errors

Error model.

Every non-2xx response returns a stable machine-readable code, a human-readable message, and a retry classification.

code	meaning	retry
`manifest_stale`	Local manifest is older than policy allows for signing.	Refresh manifest, then retry.
`hsm_unavailable`	Printer HSM did not return a signature within policy.	Retry with backoff; escalate after daemon fault.
`schema_invalid`	Request fails schema validation.	Do not retry unchanged.
`signature_rejected`	Payload or manifest signature does not verify.	Do not retry; investigate source artifact.

{
  "error": {
    "code": "manifest_stale",
    "message": "manifest revision 2026.05.r12 exceeds signing TTL",
    "retry": "after_manifest_refresh",
    "request_id": "req-01JY2Q6G7V9K"
  }
}

$schemas

Documents and schema delivery.

Public pages describe the schema fields and endpoint behavior. Actual OpenAPI files, JSON-LD contexts, CBOR schemas, and validation test corpora are delivered only when the signed files exist in a customer package. The downloads page no longer lists placeholder artifacts.

document	contains	delivery
OpenAPI bundle	Environment base URLs, endpoint schemas, AI service schemas, auth scopes, example payloads.	Signed customer package.
Vault3D CBOR schema	Canonical bundle field order, types, signature envelope, migration notes.	Signed customer package.
TwinCert JSON-LD schema	Certificate sections, regulatory fields, custody event model.	Signed customer package.
Runbook extract	Operational procedures for manifest refresh, HSM faults, key rotation, and audit export.	Support package.

$sdks

SDK usage shape.

SDK packages are not displayed as public downloads unless the package files are present. The example below shows the intended call shape for customer packages.

# Python SDK example
from threedc import Vault3D, TwinCert

vault = Vault3D(base_url="https://printer-a4.local/api", mtls=("workload.pem", "workload-key.pem"))
bundle = vault.create_bundle(bundle_payload, idempotency_key="print-2026-05-22-bay-a4-0007")

twincert = TwinCert(base_url="https://qms-api.customer.example/api", mtls=("qms.pem", "qms-key.pem"))
cert = twincert.issue_certificate({"as_built": {"bundle_ref": bundle.id}, **quality_payload})
print(cert.certificate_id)