Physical AI

Built for Physical AI & IoT

Anchor trusted data from IoT devices, robots, and edge gateways to public blockchains. Device-side signing ensures data integrity from the source.

Architecture

Data integrity starts at the device. Private keys never leave the hardware — HashAnchor verifies signatures and anchors hashes on-chain.

Device Signs

IoT device computes SHA-256 hash and signs it with its private key (Ed25519 / secp256k1).

Transmit

Signed hash is sent to HashAnchor via HTTPS (directly or through an edge gateway).

Verify

HashAnchor verifies the signature using the device's registered public key.

Anchor

Verified hash is batched into a Merkle tree and anchored on-chain.

Device Security Tiers

Software Wallet

Key stored in Flash/memory. Lowest cost, suitable for low-value sensor data. Works on any MCU.

Secure Element (SE)

Hardware-protected key (NXP SE050, ATECC608). Tamper-resistant. Recommended for production deployments.

TEE (TrustZone)

ARM TrustZone or Intel SGX. Isolated execution environment. Best for high-value data on capable devices.

Device Registration

Register each device with its public key. The private key stays on the device — HashAnchor only stores the public key for signature verification.

curl -X POST /v1/device/register \
  -H "Authorization: Bearer ha_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "deviceId": "sensor-001",
    "publicKey": "a]d3f...hex-encoded-ed25519-public-key",
    "algorithm": "ed25519",
    "metadata": {
      "location": "factory-A",
      "type": "temperature"
    }
  }'

# Response: 201
# {
#   "id": "uuid",
#   "deviceId": "sensor-001",
#   "algorithm": "ed25519",
#   "status": "active",
#   "createdAt": "2026-03-04T..."
# }

Supported Algorithms

ed25519 (default) — fast, compact signatures. secp256k1 — Ethereum/Bitcoin compatible.

Unique Per Tenant

Each deviceId is unique within your account. Re-registering returns a 409 conflict.

Signed Hash Submission

The device signs the SHA-256 hash with its private key. HashAnchor verifies the signature before accepting the hash for on-chain anchoring.

curl -X POST /v1/device/submit-signed \
  -H "Authorization: Bearer ha_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "deviceId": "sensor-001",
    "hash": "0xabc123...64-hex-chars",
    "signature": "hex-encoded-device-signature",
    "timestamp": 1709500000,
    "metadata": {
      "sensorType": "temperature",
      "value": 23.5,
      "unit": "celsius"
    }
  }'

# Response: 202
# {
#   "status": "accepted",
#   "id": "456",
#   "hash": "0xabc123...",
#   "signatureVerified": true
# }

What happens on submission:

HashAnchor looks up the device by deviceId
Retrieves the registered public key and algorithm
Verifies the signature against the hash
If valid, the hash enters the standard Merkle batching pipeline
The hash is anchored on-chain with the next batch

Edge Gateway Pattern

For resource-constrained devices (MCU, RTOS, cellular modules), use an edge gateway to relay signed data to HashAnchor.

Direct Mode

Device connects directly to HashAnchor via HTTPS. Best for Linux-based devices (Raspberry Pi, Jetson, industrial gateways).

Device → HTTPS → HashAnchor → Blockchain

Gateway Mode

Device signs locally, sends to a local gateway. Gateway batches and forwards to HashAnchor. Best for constrained devices.

Device → BLE/UART → Gateway → HashAnchor → Blockchain

Key Principle

In both modes, the device signs the hash with its private key. The gateway is a transparent relay — it cannot forge or modify the signed data. Trust is anchored at the data source.

Integration Options

Choose the integration path that matches your device capabilities.

REST API (Any Device)

Available

Direct HTTPS calls. Works with any device that can make HTTP requests. Python, Node.js, Go, Rust, C.

TypeScript SDK