Retrieve an entry by UUID: `rekor-cli get --uuid <uuid> --format json` and inspect the `body` and `integratedTime` fields
Search for entries by artifact hash: `rekor-cli search --sha <sha256-hex>` to find all Rekor entries for a given artifact
Verify the inclusion proof of an entry: `rekor-cli verify --artifact <file> --signature <sig.pem> --public-key <key.pem>` returns the log index and proof
Cross-check the `logID` and `rootHash` in the inclusion proof against the Rekor signed checkpoints published at the Rekor metrics endpoint
Known gotchas
Rekor UUIDs are derived from the leaf hash; the same artifact signed twice produces two distinct entries with different UUIDs — search by hash rather than UUID when auditing
The Rekor public instance (`rekor.sigstore.dev`) is append-only and global; any artifact hash you upload is permanently public, so never submit hashes that could be correlated with private data
Inclusion proofs are Merkle proofs anchored to a specific tree size; verifying against a stale root hash can fail if the tree has grown — always fetch the latest signed tree head first
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp