Compliance Certificates
How EZ2257 compliance certificates work — RS256 JWTs that let partner platforms verify documentation status offline.
What is a compliance certificate?
When a producer completes documentation for a production in the EZ2257 UI, EZ2257 issues a signed RS256 JWT — a compliance certificate. Your platform stores this certificate alongside the content. A federal inspector or payment-network auditor can verify it offline using the public JWKS without calling the EZ2257 API.
Certificate payload
{
"iss": "easy2257.com",
"sub": "prod_abc123",
"performerCount": 3,
"documentedAt": "2026-04-24T18:00:00Z",
"custodian": {
"name": "EZ2257 LLC",
"address": "123 Compliance Ave, Los Angeles CA 90001, US"
},
"partnerId": "ptn_xyz",
"iat": 1714000000,
"exp": 1745536000
}Algorithm: RS256. Issuer: easy2257.com. Expiration: 1 year from issuance.
Offline verification
Fetch the public JWKS from https://easy2257.com/.well-known/jwks.json. Cache for 24 hours. Verify the JWT signature with the key matching the kid header. Any RS256-capable library works:
import { createRemoteJWKSet, jwtVerify } from 'jose';
const JWKS = createRemoteJWKSet(new URL('https://easy2257.com/.well-known/jwks.json'));
const { payload } = await jwtVerify(certificate, JWKS, { issuer: 'easy2257.com' });Revocation
Certificates are revoked when a performer requests content removal or on annual renewal. Run the Certificate Revocation List endpoint daily. For real-time signals, subscribe to the production.takedown_requested and production.certificate_renewed webhooks.
Delivery
Certificates are delivered in the production.documented webhook payload when documentation completes. Store them in your database indexed by productionId.