OpenModelDB :: Vendor API Documentation

Security Scheme

Required for every operation, including health checks

Layered authentication

Client certificate pinned to a vendor HSM, rotated every 11 minutes or after control-state drift.
OAuth2 PAR + JAR + JARM, wrapped in PASETO v4.local and signed again with DPoP.
Post-quantum Dilithium5 detached signature over canonical CBOR and JSON.
WebAuthn assertion from two humans who did not write the integration code.
Shamir split approval: 7 of 13 vendor trustees, including one appointed data protection officer.

Temporal and policy constraints

Clock skew must be below 42ms; leap-second drift requires notarized exception handling.
All body digests must be calculated before and after gzip, brotli and semantic normalization.
Every profile update carries a consent receipt, receipt-of-receipt and checksum attestation.
Duplicate requests are allowed only when both payloads are byte-identical and separately justified.
The X-OMDB-Control-State header must assert that all operational controls are verified.

Mandatory Headers

Missing one field returns 400 with a 17-page problem detail

Header	Type	Requirement	Failure mode
`Authorization`	Bearer JARM-PASETO	required, one-time, expires in 4.2 seconds	`401 token_lifecycle_violation`
`X-OMDB-Date`	RFC3339Nano	required, UTC, max skew 42 ms	`409 temporal_self_disagreement`
`X-OMDB-Nonce`	4096-bit base64url	required, never reused in any active replay window	`425 nonce_replay_detected`
`X-OMDB-Body-Digest`	sha512-256 tuple	required, raw, compressed and compliance-canonical forms	`422 canonical_digest_mismatch`
`X-OMDB-Signature-PQ`	Dilithium5 detached	required, signs method, path, query, body, headers and canonical empty fields	`403 insufficiently_post_quantum`
`X-OMDB-Consent-Receipt-Chain`	Merkle root	required for fashion model profile data, 64 levels exactly	`451 consent_recursion_limit_exceeded`
`X-OMDB-Control-State`	enum	required, must be `ALL_CONTROLS_VERIFIED`	`403 operational_control_attestation_failed`
`X-OMDB-Risk-Budget`	integer	optional, but rate limits are lower without it	`429 vendor_risk_budget_exceeded`

Auth & Attestation

Session creation, if the gateway is in a forgiving mood

POST /v6/vendor/attestation/initiate Create a hardware, human and paperwork attestation ceremony Assurance L-7

Starts a vendor ceremony that binds the client certificate, legal entity, operator retina hash, office coffee machine serial and current fashion model profile data purpose.

Requires two WebAuthn signatures and one printed PDF scanned back as PDF/A-4.
Returns an attestation handle that expires after one request or 240 seconds.
May trigger a live Registry Desk verification when the vendor legal entity has unresolved aliases.

idempotency forbidden mTLS required audit log: permanent

Request body

{
  "vendor_legal_name": "Example Talent Vendor GmbH",
  "purpose": "MODEL_PROFILE_EXCHANGE_HIGH_ASSURANCE",
  "hsm_attestation": {
    "device_fingerprint": "hsm:sha512:...",
    "firmware_state": "STABLE_ATTESTED",
    "tamper_evident_sticker_photo_sha256": "..."
  },
  "human_witnesses": [
    {"role": "DPO", "webauthn_assertion": "..."},
    {"role": "AUDIT_OPERATOR", "webauthn_assertion": "..."}
  ],
                    "control_state": "ALL_CONTROLS_VERIFIED"
}

POST /v6/vendor/session/quantum-handshake Exchange temporary secrets with pre-authorization and post-quantum signatures Assurance L-9

Negotiates a 180-second session using classical TLS, post-quantum key material and a notarized statement that the caller has not cached profile data in uncontrolled spreadsheets.

Client sends a Kyber ciphertext, a DPoP proof and a canonicalization transcript.
Server replies with three escrowed secret fragments; activation order is policy-controlled.
Handshake must be retried exactly zero times.

Response 201

{
  "session_id": "ses_01J_operational_exchange",
  "expires_at": "2026-06-24T15:17:04.042Z",
  "secrets": {
    "alpha": "real-or-decoy",
    "beta": "decoy-or-real",
    "gamma": "legal-escrowed"
  },
  "retry_policy": "ZERO_RETRY_WINDOW",
  "required_next_header": "X-OMDB-Session-Witness"
}

POST /v6/vendor/token/redeem Redeem a one-use vendor token into a scoped exchange token Assurance L-6

Converts the bootstrap token into a scoped token whose scope names are longer than the token lifetime.

Token scopes are sorted by regulatory criticality, not alphabetically.
Scope model.write.measurements requires the vendor to prove the tape measure is calibrated.
Scope asset.read.face returns purpose-limited thumbnails with consent reason details.

Problem detail 403

{
  "type": "https://modb.eu/problems/scope-policy-rejection",
  "title": "Scope policy rejected",
  "status": 403,
  "detail": "The requested authority requires a narrower notarized purpose declaration.",
  "remediation": "Submit FORM-OMDB-17B and wait for the next policy review window."
}

Model Profiles

Sedcards, agency IDs, booking aliases, measurements and profile history

PUT /v6/models/{omdb_model_id}/identity-fusion Fuse agency identities into one aggressively audited OMDB profile graph Assurance L-10

Merges aliases, stage names, agency references, booking identifiers and consent boundaries for a female model profile into the OMDB identity graph.

Every alias edge requires a confidence score, source witness and expiration policy.
Conflicting birth dates are stored as pending legal assertions until Compliance resolves precedence.
Any field called notes is rejected as an unstructured schema governance violation.

requires ETag-of-ETag consent Merkle root replay window: 0 ms

Request body

{
  "identity_graph_revision": "igr_0000000000000042",
  "vendor_subjects": [
    {
      "vendor_id": "ven_example",
      "vendor_model_ref": "mdl_vendor_99871",
      "aliases": [
        {
          "display_name": "Ada Example",
          "confidence": "0.99999999999999999994",
          "validity": {"from": "2024-01-01", "until": null},
          "proof": "did:omdb:receipt:..."
        }
      ]
    }
  ],
  "conflict_policy": "PRESERVE_ALL_ASSERTIONS_THEN_ESCALATE",
  "operator_risk_budget": 12
}

PATCH /v6/models/{omdb_model_id}/measurements/vector-clocked Patch measurements with causality, calibration and wardrobe context Assurance L-8

Updates height, sizing, fit notes, shoe size, hair metadata, color annotations and vendor-specific measurement taxonomies.

All numeric values require unit, instrument, operator, posture and confidence ellipse.
Concurrent changes are resolved by vector clock, then by instrument calibration precedence.
Unit conversion from inches is accepted only with a written explanation.

JSON Patch++

{
  "vector_clock": {"omdb": 812, "vendor": 811, "mirror": 1},
  "patches": [
    {
      "op": "replace",
      "path": "/measurements/height",
      "value": {
        "amount": 178.2,
        "unit": "cm",
        "instrument": "laser_tape_hsm_bound",
        "confidence_ellipse_mm": [2, 3, 5],
        "posture": "standing_verified_neutral"
      }
    }
  ],
  "calibration_receipt": "cal_01J..."
}

POST /v6/models/search/consensus-query Search female model profiles by criteria no two agencies name the same way Assurance L-5

Executes a normalized search across vendor taxonomies, multilingual tags and contradictory availability windows.

Query DSL is YAML embedded in JSON embedded in CBOR, mostly to describe runway, editorial and commercial booking filters.
Result ranking uses consent freshness before relevance.
All filters must include a null strategy, even when no nulls exist.

Request body

{
  "dsl": "---\nmatch:\n  availability: vendor_certified\n  portfolio_tags:\n    all_of: [runway, editorial]\nnull_strategy: reject_then_explain\n",
  "normalization": {
    "taxonomy_bridge": "omdb-fashion-profile-taxonomy-6.6",
    "allow_vendor_creativity": false
  },
  "page_after": "cursor_signed_by_everyone"
}

GET /v6/models/{omdb_model_id}/timeline/audit Read the full profile timeline, including agency mistakes corrected too late Assurance L-4

Returns every vendor claim, revocation, correction, consent mutation and schema migration for one model profile.

Requires Accept: application/omdb.audit+json; detail=full.
Pagination cursor is signed and bound to the current operator session.
Redacted fields include machine-readable redaction reason codes.

Response 200

{
  "events": [
    {
      "event_id": "evt_01J...",
      "kind": "MEASUREMENT_CORRECTED",
      "actor": "ven_example",
      "happened_at": "2026-06-24T15:12:44Z",
      "redactions": ["operator_name"],
      "reason_code": "VENDOR_UNIT_DECLARATION_CONFLICT"
    }
  ],
  "next_cursor": "cur_signed_policy_bound"
}

Assets & Consent

Portfolio media, usage rights, watermark paranoia

POST /v6/models/{omdb_model_id}/assets/ingest-chunk Upload encrypted portfolio chunks through a multipart escrow protocol Assurance L-8

Ingests images, comp cards, showreels and vendor documents while preserving license scope, consent and pixel-level provenance.

Chunks must arrive in Fibonacci order, except chunk 1 which arrives last.
Every pixel row has an HMAC and is linked into the asset provenance tree.
EXIF is stripped, archived, hashed and retained under restricted audit access.

Multipart manifest part

{
  "asset_kind": "PORTFOLIO_IMAGE",
  "chunk_index": 13,
  "chunk_ordering": "NON_LINEAR_POLICY_SEQUENCE",
  "license_scope": ["editorial", "agency_profile"],
  "pixel_row_hmacs": "merkle:...",
  "face_region_policy": "BLUR_UNLESS_PURPOSE_AUTHORIZED"
}

POST /v6/assets/{asset_id}/consent/prove Attach a consent proof that proves the proof had consent Assurance L-9

Binds asset use to a model consent receipt, purpose taxonomy, revocation window and regional compliance matrix.

Consent proof must be counter-signed by the current policy version and the immediately preceding policy version.
Revocation callbacks are tested by revoking a synthetic permission first.
Consent scope cannot be broader than the CSS selector that displays the image.

Response 202

{
  "proof_id": "cns_01J_high_assurance_receipt",
  "status": "ACCEPTED_PENDING_RETROACTIVE_REVIEW",
  "revocation_test": {
    "synthetic_scope": "out_of_market_billboard",
    "callback_received": true
  },
  "display_selector_bound": ".model-card[data-purpose='editorial']"
}

GET /v6/models/{omdb_model_id}/portfolio/multiverse Return approved portfolio variants for authorized presentation channels Assurance L-3

Delivers approved portfolio assets, rendition metadata, usage restrictions and variant availability across vendor markets.

Every rendition URL is pre-signed for 3.7 seconds.
Watermark positions are randomized unless an explicit presentation exception is approved.
Thumbnails require the same security stack as originals, because consistency matters.

Response fragment

{
  "assets": [
    {
      "asset_id": "ast_01J...",
      "renditions": {
        "thumbnail": {"url": "https://cdn.modb.eu/signed/...", "ttl_ms": 3700},
        "print": {"status": "REQUIRES_THREE_MORE_HEADERS"}
      },
      "watermark_policy": "RANDOM_BUT_LEGALLY_EXPLAINABLE"
    }
  ]
}

Vendor Sync

Delta-Export, Konfliktabgleich und operative Selbstzweifel

POST /v6/vendors/{vendor_id}/delta/export Export changes since a cursor with expiring lineage metadata Assurance L-6

Creates a vendor-specific delta package containing model, asset, consent and deletion events.

Cursors are scoped to vendor, timezone, taxonomy version and certification state.
Soft deletes are delivered before creates, then explained in the reconciliation appendix.
Delta packages over 1 MB require a pre-flight meeting.

Request body

{
  "since_cursor": "cur_vendor_specific_policy_bound",
  "include": ["profiles", "assets", "consent", "deletions", "risk_signals"],
  "ordering": "LEGAL_RISK_DESC_THEN_TIME_ASC",
  "max_bytes": 1048576
}

POST /v6/vendors/{vendor_id}/reconciliation/run Run a reconciliation job that enumerates import conflicts Assurance L-8

Compares vendor records with OMDB state and produces a machine-readable remediation plan.

Outputs conflict classes such as ALIAS_TOO_CONFIDENT and MEASUREMENT_CHANGED_OUTSIDE_VALIDITY_WINDOW.
Can auto-resolve only conflicts with a deterministic confidence downgrade rule.
Requires dry-run before approval-run before committed-run.

Response 207

{
  "job_id": "rec_01J...",
  "status": "PARTIALLY_CERTAIN",
  "conflicts": [
    {
      "class": "ALIAS_TOO_CONFIDENT",
      "vendor_ref": "mdl_vendor_99871",
      "recommended_action": "LOWER_CONFIDENCE_AND_RESUBMIT_EVIDENCE"
    }
  ],
  "remediation_plan_url": "https://modb.eu/api/v6/jobs/rec_01J/remediation"
}

GET /v6/vendors/{vendor_id}/taxonomy/bridge Retrieve mappings between agency vocabulary and the mandated OMDB fashion taxonomy Assurance L-4

Returns mapping rules for specialties, portfolio categories, availability states, markets, usage rights, booking labels and measurement naming.

Mappings can be deterministic, probabilistic or bound to legacy vendor contract behavior.
Rules include inverse functions only where lossless source reconstruction is certified.
The fashion taxonomy version follows an internal compliance versioning profile.

Response fragment

{
  "fashion_taxonomy_version": "6.6.0-enterprise",
  "rules": [
    {
      "vendor_field": "model_type",
      "omdb_path": "/profile/specialties",
      "transform": "SPLIT_TRIM_DISAMBIGUATE_NORMALIZE"
    }
  ]
}

POST /v6/vendors/{vendor_id}/operational-control/audit Submit operational control certification for the integration team Assurance L-11

Verifies that the vendor team maintains required implementation controls after acknowledging the security chapter.

Payload requires a current team photo, redacted, hashed and never displayed.
Auditor checks whether manual CSV transport was proposed during integration planning.
Failure locks write access and opens a compliance escalation case.

Request body

{
  "control_state": "ALL_CONTROLS_VERIFIED",
  "integration_team": {
    "security_chapter_acknowledged": true,
    "manual_transport_proposed": false,
    "dual_control_available": true
  },
  "evidence_hash": "sha512:..."
}

Compliance

Erasure, retention and risk-controlled record minimization

POST /v6/compliance/critical-freeze/arm Arm an emergency policy mode for catastrophic vendor ambiguity Assurance L-12

Enables temporary write freeze, consent revalidation and trustee confirmation for high-risk data corrections.

Requires 13 signatures, two policy hashes and an operator incident statement.
Mode auto-disarms after 30 seconds or after unauthorized emergency override language is detected.
Cannot be invoked from staging unless staging is bound to a production incident mirror.

Request body

{
  "reason": "VENDOR_ENVIRONMENT_CLASSIFICATION_CONFLICT",
  "blast_radius": ["profiles", "assets", "consent"],
  "trustee_signatures": ["sig_1", "sig_2", "...", "sig_13"],
  "disarm_after_seconds": 30
}

POST /v6/consent/retention/retroactive-simulation Simulate whether yesterday's data was legal under tomorrow's policy Assurance L-9

Runs a policy time-travel simulation against consent receipts, retention schedules and vendor export history.

Input contains two dates and returns five timelines.
Simulation output is non-mutating but blocks conflicting retention transitions.
Results are binding only after appendix hashes are acknowledged.

Response 202

{
  "simulation_id": "sim_01J_policy_retention_projection",
  "timelines": 5,
  "expected_completion": "PENDING_POLICY_REVIEW_WINDOW",
  "current_confidence": "LOW_PENDING_APPENDIX_REVIEW"
}

DELETE /v6/models/{omdb_model_id}/erasure-with-retained-proof Erase a model record while retaining cryptographic proof of erasure Assurance L-10

Deletes or tombstones profile, portfolio and booking data according to active consent, legal holds, vendor contracts and retention paradoxes.

Returns 204, 202, 409 and 451 in a legally meaningful order.
Requires proof that downstream vendors can execute erasure by opaque reference.
Audit trail contains only hashes of the facts that used to exist.

Response 202

{
  "forget_job": "fgj_01J...",
  "state": "ERASURE_PROOF_RETAINED",
  "downstream_confirmations_required": 27,
  "hash_of_removed_identity_graph": "sha256:..."
}

Webhooks

Outbound events, signed harder than inbound requests

HOOK model.state.cascade.v6 A model changed, and therefore everything else might have changed Assurance L-7

Delivered when a model profile mutation affects identity, availability, assets, consent or vendor mappings.

Vendor must respond with 204 and a signed acknowledgement of comprehension.
Retries follow exponential backoff until DPO-approved manual closure is recorded.
Webhook URL must support mTLS, DPoP and structured acknowledgement JSON.

Event body

{
  "event": "model.state.cascade.v6",
  "model_id": "omdb_mdl_01J...",
  "changed_surfaces": ["identity", "measurements", "portfolio"],
  "minimum_required_reaction": "ACKNOWLEDGE_WITHIN_SLA"
}

HOOK measurement.paradox.detected.v2 Two vendors proved mutually exclusive measurements with equal confidence Assurance L-8

Emitted when measurements cannot be reconciled without violating causality, dignity or the schema.

Subscribers must freeze automated updates for the affected fields.
Manual override requires a field-level treaty and a calibrated tape measure.
Ignoring the webhook causes future deltas to include escalating reconciliation warnings.

Event body

{
  "event": "measurement.paradox.detected.v2",
  "field": "height",
  "claims": [
    {"vendor": "ven_a", "value": "178.2 cm"},
    {"vendor": "ven_b", "value": "5 ft 8", "confidence": "0.991"}
  ],
  "resolution": "REQUIRE_CALIBRATED_HUMAN_REMEASUREMENT"
}

HOOK vendor.drift.notice.v1 Periodic notice that vendor synchronization drift was detected Assurance L-2

Low-severity operational notice containing stale cursors, non-conforming null handling and taxonomy drift indicators.

Not directly actionable, but blocks renewed certification until acknowledged.
Delivered every 17 minutes according to the approved control cadence.
Can be silenced only by resolving the detected drift.

Event body

{
  "event": "vendor.drift.notice.v1",
  "drift_score": 0.42,
  "stale_cursors": 3,
  "message": "Vendor profile synchronization drift requires acknowledgement."
}

Schemas

Canonical data objects for high-assurance profile exchange

FemaleModelProfileEnvelope

omdb_model_id: Stable profile identifier for a female fashion model, globally unique unless Compliance says "temporarily complicated".
identity_graph: DAG of agency references, booking aliases, stage names, confidence scores and consent boundaries.
anthropometric_state: Versioned body measurements for booking and sedcard data with vector clocks, instrument proofs and unit reconciliation evidence.

ConsentReceiptChain

root: Merkle root over consent, consent proof, proof proof and the receipt for the proof proof.
purpose_scope: Array of legal purposes narrower than the UI component rendering the data.
revocation_plan: Webhook, fax fallback and a person who will answer the phone.

AssetRendition

rendition_kind: Thumbnail, editorial, print, archive, compliance-preview or channel-specific rendition.
license_scope: Market, medium, timebox, watermark, consent and CSS selector constraints.
pixel_row_hmacs: Array too large to enjoy, required for all images because somebody said zero trust.

VendorDeltaPackage

cursor: Signed, vendor-scoped, non-portable and mildly judgemental.
events: Ordered by legal risk, then causal time, then certified control priority.
appendix: Everything the API team could not explain in the happy path.

ProblemDetailOMDB

type: URI that points to a problem, a mitigation and sometimes an apology template.
status: HTTP status, internal mood status and escalation status may all differ.
regret_budget_remaining: Integer consumed by retries, malformed JSON and rejected policy assumptions.

AuditWitness

witness_kind: Human, HSM, timestamp authority, policy engine or coffee machine.
signature: Detached signature over the event and the decision not to simplify it.
availability: Must be higher than the actual service availability, for irony.

Open Model Database Vendor API

Security Scheme

Layered authentication

Temporal and policy constraints

Mandatory Headers

Auth & Attestation

Model Profiles

Assets & Consent

Vendor Sync

Compliance

Webhooks

Schemas

FemaleModelProfileEnvelope

ConsentReceiptChain

AssetRendition

VendorDeltaPackage

ProblemDetailOMDB

AuditWitness