Manifest Walkthrough

A manifest file is the blueprint for generating a Web Proof. It defines what data to fetch, how to fetch it, and what parts to prove. This guide walks through creating a manifest file step by step.

Understanding the Structure

A manifest has three main sections:

Base fields - Core metadata about what’s being proved
Request object - How to fetch the data
Response object - What parts of the response to verify

Base Fields

Required Metadata

{
  "manifestVersion": "1",
  "id": "example-manifest",
  "title": "Reddit Karma Score",
  "description": "Proves a user's Reddit karma score is above 1000"
}

These fields help identify and track your manifest:

manifestVersion: Always use “1” for now
id: A unique identifier for your manifest
title: A human-readable name (keep it concise)
description: A detailed explanation of what’s being proved

Authentication (Optional)

{
  "prepareUrl": "https://reddit.com/login"
}

If your data requires authentication:

Add a prepareUrl pointing to the login/auth page
Create a prepare.js file to handle the auth flow
The Chrome extension will handle obtaining cookies and tokens

See the Reverse Engineering APIs guide for details on handling authenticated endpoints.

Request Object

Core Request Details

{
  "request": {
    "method": "GET",
    "url": "https://api.reddit.com/user/example/about",
    "headers": {
      "Content-Type": "application/json",
      "Accept": "application/json"
    }
  }
}

The request object defines how to fetch your data:

method: The HTTP method to use
url: The API endpoint (can include variables like <% userId %>)
headers: Required headers that must match exactly

Additional Headers

{
  "request": {
    "extra": {
      "headers": {
        "User-Agent": "Mozilla/5.0..."
      }
    }
  }
}

Use extra.headers for headers that:

Are needed but shouldn’t be verified
May change between requests
Are automatically set by browsers

Request Body (for POST/PUT)

{
  "request": {
    "body": {
      "query": "example",
      "limit": 10
    }
  }
}

For POST/PUT requests, specify the body as either:

A JSON object (will be serialized)
A string (sent as-is)

Response Object

Status Code

{
  "response": {
    "status": "200"
  }
}

Verify the response was successful. Common codes:

200: Success
201: Created
204: No Content

Response Headers

{
  "response": {
    "headers": {
      "Content-Type": "application/json"
    }
  }
}

Specify headers that must be present and match exactly. Useful for:

Verifying content types
Checking cache headers
Validating security headers

Response Body

{
  "response": {
    "body": {
      "json": [
        ["data", "total_karma"],
        ["data", "name"]
      ]
    }
  }
}

The body.json array specifies which parts of the JSON response to extract and verify:

Each inner array is a path to a value
Paths are traversed in order
Only specified values are included in the proof

💡

Use the Manifest Builder to visually select JSON paths and generate this configuration.

Testing Your Manifest

Use the Manifest Builder to create and test your manifest
Test proof generation with your manifest
Debug issues using browser dev tools

Next Steps

Try the Public Data guide for a hands-on example
Learn about authenticated data
Explore example implementations

Reverse Engineering APIs React SDK