Architecture

A high-level map of what backs every attestation. You don't need this to integrate, but it's what makes the data trustworthy.

On-chain program

A Solana program (Anchor) on devnet holds attestations as program-derived accounts (PDAs):

Program ID: 7jaScjdweyaX6HhzexauEiMe7s7zoqWnkQYLSbNaezeK

When you request an attestation, the program records a request event; the resulting data is written back as a PDA the program owns. See On-chain primitives for accounts + instructions.

Master Broker

The Master Broker is the signer authorized to write attestations. Every attestation's provider_pubkey is the Master Broker:

9BHC6c5Gv9tUL3DCzRSGkdApdU2QMwh29pxH4Q6zV9xR

Verifying that the writing transaction was Master-Broker-signed (and the PDA is program-owned) is the core of on-chain verification.

Hardware-anchored cold upgrade authority

The program's upgrade authority is held on a hardware wallet (Ledger secure element), not a hot software key:

26EsRFpA8AgGWMo9gAQGhRZvLn5LSk8JYdCdVxogkfa5

Upgrades require physical hardware approval — raising the bar for unilateral or compromised-key changes to the program. (Multi-sig over the upgrade authority is on the roadmap, pre-mainnet.)

Hash-only data model

The on-chain record is an authenticity + integrity anchor, not a data warehouse. The authoritative field is:

raw_snapshot_hash = SHA-256(raw vendor JSON)

The full data payload is returned in the attestation response; the chain stores the hash (plus typed fields, some of which may be placeholder in V1). This keeps on-chain costs bounded while letting anyone prove a payload is exactly what Themra attested — recompute the hash and compare. Treat the chain as the proof, the response as the data.

Settlement

Two on-chain settlement paths exist: the operator pays the SOL fee for attestation writes server-side, and customers pay USDC for quota via the x402 /v1/topup flow (settled through the Coinbase Developer Platform facilitator, then re-verified on-chain before crediting).