# ChainOfFact Getting Started

This guide shows how to record your first verifiable event and generate an evidence bundle.

## Choose Your Path

ChainOfFact supports two integration patterns.

### Ongoing Recording
Continuous system monitoring. Record events as they happen for always-available evidence.

### Incident-First
Post-hoc evidence collection. Initialize recording when an incident occurs or investigation begins.

## API Key Required

You need an API key to record events. Get your API key at https://chainoffact.com/pricing

---

# Ongoing Recording Path

## 1. Configure API Key

Set your API key in your environment or application configuration.

    export CHAINOFFACT_API_KEY="your-api-key"

## 2. Record Events Continuously

Send a POST request to /api/events for each event you want preserved.

    POST /api/events
    Authorization: Bearer your-api-key
    Content-Type: application/json

    {
      "event_type": "model_output",
      "subject": "model:gpt-4",
      "inputs_hash": "sha256:a1b2c3...",
      "outputs_hash": "sha256:d4e5f6...",
      "policy_id": "content-moderation-v2",
      "policy_version": "2.1.0",
      "metadata": {
        "request_id": "req-12345",
        "user_tier": "enterprise"
      }
    }

The response includes an immutable receipt with a unique event ID and timestamp.

## 3. Regular Verification

Periodically verify your recorded events to ensure chain integrity.

    POST /api/verify/event
    {
      "event_id": "evt-uuid-here"
    }

Verification confirms the event exists unmodified in the append-only log.

## 4. Generate Evidence Bundles on Demand

When you need to share evidence, generate a sealed bundle for any time range.

    POST /api/bundles/evidence
    {
      "start_time": "2026-01-01T00:00:00Z",
      "end_time": "2026-01-31T23:59:59Z",
      "subject_filter": "model:gpt-4"
    }

---

# Incident-First Path

## 1. Initialize When Investigation Begins

When an incident occurs or investigation starts, immediately mark the beginning of evidence collection.

    POST /api/events
    Authorization: Bearer your-api-key
    Content-Type: application/json

    {
      "type": "incident_start",
      "incident_id": "INC-2026-001",
      "timestamp": "2026-01-29T18:42:00Z",
      "description": "Post-incident review initiated",
      "triggered_by": "security_team"
    }

This marker does not assert fault or cause. It establishes when evidence collection began.

## 2. Collect Artifacts

Record each piece of evidence with cryptographic hashes of the source data.

    {
      "event_type": "artifact_collected",
      "incident_id": "INC-2026-001",
      "artifact_type": "system_log",
      "artifact_hash": "sha256:abc123...",
      "artifact_location": "s3://logs/2026-01-29/app.log",
      "collected_at": "2026-01-29T18:45:00Z",
      "collected_by": "investigator@company.com"
    }

Repeat for each artifact: model outputs, configuration snapshots, access logs, etc.

## 3. Mark Investigation End

When evidence collection is complete, close the incident scope.

    {
      "type": "incident_end",
      "incident_id": "INC-2026-001",
      "timestamp": "2026-01-30T14:00:00Z",
      "artifact_count": 47,
      "status": "collection_complete"
    }

## 4. Generate Evidence Bundle

Create a sealed, verifiable bundle for the incident.

    POST /api/bundles/evidence
    {
      "incident_id": "INC-2026-001"
    }

The bundle can be verified offline by any third party without trusting ChainOfFact.

---

## What ChainOfFact Does Not Do

- No compliance claims
- No interpretation
- No backfilling or inference

If something was not recorded, it remains UNKNOWN.

---

Canonical URL: https://chainoffact.com/onboarding