Deploy Evidence

post

https://{jfrog_url}/evidence/api/v1/subject/{subjectRepoPath}

Deploys an evidence file for the designated subject that complies with the DSSE framework and the in-toto Attestation Framework. This API endpoint deploys an external evidence file that was created elsewhere. An efficient method for attaching evidence to a subject, such as an artifact, is to use the Create Evidence CLI. This feature is supported with the Enterprise+ license.

Recent Requests

Time	Status	User Agent
Retrieving recent requests…

Loading…

Path Params

subjectRepoPath

string

required

Subject repository path (e.g., commons-dev-generic-local/commons/1.0.0/file.txt)

Query Params

providerId

string

Evidence provider identifier

Body Params

Evidence file in JSON format (DSSE envelope with in-toto attestation). Optionally includes attachment references to files already stored in Artifactory. Requires Artifactory >= 7.142.0.

DSSE (Dead Simple Signing Envelope) containing an in-toto attestation

payload

string

required

Base64-encoded serialized in-toto Statement. Decoded shape:

{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [
    {
      "name": "example-binary",
      "digest": { "sha256": "4529c29..." }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "predicate": { "...": "..." },
  "createdAt": "2026-02-09T11:45:00Z",
  "createdBy": "github-actions-bot",
  "markdown": "### Build Success\nThe binary was compiled using Go 1.22.",
  "attachments": [
    { "name": "build-log.txt", "sha256": "e3b0c44..." }
  ]
}

The attachments field inside the Statement is optional and is part of the signed payload (the signer commits to exactly that set).

payloadType

string

required

Media type of the DSSE payload (must be application/vnd.in-toto+json).

The same endpoint also accepts two other body shapes (auto-detected by the service - do not send a DSSE envelope if you use these):

Sigstore Bundle - top-level mediaType with prefix application/vnd.dev.sigstore.bundle (e.g. application/vnd.dev.sigstore.bundle.v0.3+json); the bundle embeds its own DSSE envelope.
OCI Evidence Bundle - top-level type: "oci.bundle"; the bundle embeds a DSSE envelope plus a public key.

signatures

array of objects

required

One or more DSSE signatures over the payload

signatures*

attachments

array of objects

length ≤ 1

Attachment references to associate with the evidence during creation. At most one attachment is supported. Requires Artifactory >= 7.142.0.

attachments

Responses

201Created - Evidence deployed successfully

400Bad Request - Invalid subject path, malformed body, or unsupported evidence payload.

401Bad Credentials - The request failed because the authentication token is invalid or expired.

403Permission Denied - The request failed because the authenticated user does not have the required Read and Annotate permissions for the subject repository path.

404Not Found - The specified subject does not exist.

409Conflict - Evidence already exists for the specified subject.

412Precondition Failed - Requested attachment features are not supported by the connected Artifactory version.

413Payload Too Large - The request body exceeds the maximum allowed size.