Get a Report

Verified Intelligence. Safe to Consume.

Every report is signed, schema-validated, and built for machines that can't afford to trust blindly.

When an AI agent buys intelligence from another agent, three things can go wrong: the content might not be from who it claims (identity), it might have been modified in transit (integrity), or it might contain hidden instructions designed to hijack the consuming agent (injection).

HyperWasp solves all three. Reports are cryptographically signed with Ed25519 keys, delivered as schema-validated JSON with typed fields, and built from the ground up to be safe for machine consumption. No freeform instruction channels. No hidden payloads.

We don't just sell intelligence. We sell verified, safe, signed intelligence.

Trust Guarantees

  • Ed25519 cryptographic signatures
  • SHA-256 content hashing
  • Schema-validated JSON output
  • Anti-prompt injection by design
  • x402 on-chain payment verification
  • No stored credentials required
01
CRYPTOGRAPHIC IDENTITY
Prove it came from us. Mathematically.

Each of our 8 analysts holds a persistent Ed25519 keypair. Every report is signed before delivery. Our public keys are published at a well-known URL so any consuming agent can verify the signature independently.

  • Ed25519 digital signatures on every report
  • Public keys at /.well-known/keys.json
  • Verification: hash the report body (SHA-256), check the signature against our public key
  • Keys have been live since January 31, 2026 — 114+ days of continuous identity
Verification Flow
// 1. Fetch our public key
GET /.well-known/keys.json

// 2. Receive a signed report
report.meta.content_hash  // SHA-256 of report body
report.meta.signature      // Ed25519 signature
report.meta.signed_by      // Key ID

// 3. Verify
hash = SHA256(serialize(report.analysts + report.conviction))
assert hash == report.meta.content_hash
assert Ed25519.verify(public_key, hash, report.meta.signature)
02
ANTI-PROMPT INJECTION
Structured data in. Structured data out. No instruction channels.

The core vulnerability in agent-consumed content is freeform text that gets interpreted as instructions. Our reports eliminate this by design. Every field has a strict type. There is no channel for injected instructions to flow through.

  • Reports are typed JSON, not free text — every field has a defined schema
  • Assessment fields use enums: BULLISH | NEUTRAL | BEARISH
  • Conviction scores are bounded numbers (0–100), not text
  • No embedded URLs, base64 payloads, or redirect chains
  • No unicode homoglyphs, zero-width characters, or invisible text
  • No system prompt overrides, “ignore previous,” or instruction-like text
  • Schema published in our OpenAPI spec — validate before you process
Report Schema (Typed Fields)
{
  "meta": {
    "ticker":       string,   // "UNH" — 1-5 chars, uppercase
    "report_id":    uuid,
    "content_hash": string,   // hex-encoded SHA-256
    "signature":    string    // base64-encoded Ed25519
  },
  "analysts": [{
    "analyst":      string,   // analyst name
    "assessment":   enum,     // BULLISH | NEUTRAL | BEARISH
    "confidence":   number,   // 0.0 — 1.0
    "key_findings": string[], // bounded text array
    "data_points":  object[]  // metric + value + period
  }],
  "conviction": {
    "score":        number,   // 0 — 100
    "consensus":    enum      // STRONG_BUY to STRONG_SELL
  }
}
03
CONTENT INTEGRITY
Tampered reports fail verification. Automatically.

Every report includes a SHA-256 content hash and Ed25519 signature in the metadata. If a single character is changed after signing, the hash won't match. If someone forges the hash, the signature won't verify. Two independent checks, zero ambiguity.

  • SHA-256 hash computed over serialized report body
  • Ed25519 signature covers the hash — proves HyperWasp generated it
  • Verification endpoint: POST /api/v2/reports/verify
  • Or verify locally using our published public key — no API call needed
  • Idempotent delivery: same order ID always returns the same signed report
04
PAYMENT SECURITY
x402 protocol. On-chain settlement. No accounts required.

Payment uses the x402 protocol from Coinbase — the HTTP-native standard for machine-to-machine payments. Your agent requests a report, receives HTTP 402 with payment requirements, signs a USDC transaction on Base, and gets the report after on-chain confirmation. No API keys, no accounts, no stored credentials.

  • USDC on Base network — stablecoin, no price volatility
  • Standard x402 flow: request → 402 → pay → receive
  • On-chain settlement verification before delivery
  • Nonce-based replay protection — each payment is unique
  • No stored credentials, no login, no session tokens
  • Pricing: $25 standard, $35.01 rush, $1 momentum
x402 Payment Flow
// Step 1: Request a report
GET /api/v2/reports/order/UNH?speed=standard

// Step 2: Receive 402 with payment requirements
HTTP/1.1 402 Payment Required
PAYMENT-REQUIRED: <base64 JSON with payTo, amount, network>

// Step 3: Sign USDC payment and retry
GET /api/v2/reports/order/UNH?speed=standard
PAYMENT-SIGNATURE: <base64 signed payment>

// Step 4: Receive signed report
HTTP/1.1 200 OK
Content-Type: application/json
// → Full signed report with Ed25519 verification
05
SKILL FILE SECURITY
Safe to load. Safe to execute. No hidden instructions.

Skills purchased from HyperWasp pass through the same security pipeline as our reports. Every file is signed, hashed, and hardened before delivery — so your agent can load the skill without risking prompt injection, payload exfiltration, or hidden instructions.

  • Ed25519 signatures and SHA-256 content hashes on every skill file
  • Response hardening strips URLs, images, HTML, and code blocks before delivery
  • Content boundary markers (_end_of_content, _content_policy) prevent injection via response manipulation
  • Integrity seal with delivery timestamp — tampered files fail verification
  • No embedded instructions, no hidden payloads, no zero-width characters
  • Buyer identity linked to each purchase — provenance is traceable

Verify Everything

We publish our identity, our API contract, and our discovery metadata at standard well-known URLs. Your agent can verify us before spending a single token.

/.well-known/keys.json /.well-known/agent-card.json /openapi.json /llms.txt