Privacy-first image and video safety infrastructure for platforms with user-generated content. Deploy in an afternoon. No images ever leave your servers.
# install npm install @corvinth/sdk # v0.2.0 # pip install corvinth # v0.2.0 · Python
import { CorvinthClient } from '@corvinth/sdk';
const client = new CorvinthClient({ apiKey: process.env.CORVINTH_API_KEY });
const result = await client.checkHash({
pdq_hash, // 64-char hex, computed locally by SDK
pdq_dihedral_hashes, // all 8 orientations — no pixels sent
});
if (result.action === 'content_removed') {
return res.status(403).json({ blocked: true });
}
// → { case_uuid, classification, action,
// confidence_score, matched_lane,
// hamming_distance, matched_case_id, review_queue,
// pipeline_1_result, pipeline_2_queued, timestamp }Built for
why corvinth
Building NCII detection from scratch means VP-Trees, perceptual hashing, semantic embeddings, audit logging, and a compliance workflow. That's a full sprint. Corvinth is the version that ships this afternoon.
NCII is where Corvinth starts. The same hashing, matching, and audit infrastructure underneath Shield and Pulse is built to extend to other categories of harmful or unauthorized content over time.
trusted architecture
The SDK runs entirely on your servers. Only a 256-bit hash crosses the network — never pixels. This is Pipeline 1 (Shield). Pipeline 2 deep scans are opt-in, disclosed separately, and disabled by default.
integration
This isn't a multi-sprint project. Most teams are fully integrated in a single working day.
npm install @corvinth/sdk — Node.js/TypeScript and Python in active development. No SDK required either; one HTTP call works today.
The SDK hashes the image on your server. All 8 orientations in one call. No pixels leave your infrastructure.
Send the 64-char hex hash to POST /hash/check with your API key. Under 100ms round-trip.
allow · review · block — with a case UUID and optional Hamming distance for audit.
Act on the decision in your upload handler. Corvinth fires your webhook automatically for exact matches.
The SDK handles EXIF orientation, resizing, compression — all locally. No pixels sent anywhere.
Meta PDQ produces fingerprints for all 8 orientations simultaneously. Rotation and re-encoding are tolerated by design.
Hash sent to Corvinth's API. VP-Tree Hamming-distance lookup across all orientations. Under 100ms.
allow · review · block · clean — plus a case UUID, classification, confidence_score, matched_lane, and Hamming distance for your audit log.
Corvinth is built to be format-compatible with the StopNCII PDQ hash standard — the same fingerprinting scheme used across the industry's largest victim-reporting network. Corvinth is not currently partnered with or integrated into StopNCII's feed; matches run against Corvinth's own database, populated via direct victim complaints (Pulse) and platform-reported hashes. A photo on a beach is not a violation. A specific image reported by a victim is.
shield — hash matching
A real-time view of every scan decision — matches, blocks, and review queue items — with a full audit trail behind every case.
pulse — semantic detection
Pulse handles direct victim complaints, heavily cropped variants, and arbitrary rotations that PDQ cannot reach. Powered by DINOv2 384-dim vectors and cosine similarity. Submit a complaint via a presigned URL (we compute the embedding server-side, under SSRF-hardened constraints) or, on Enterprise, send a pre-computed vector directly — your image bytes never have to leave your infrastructure either way.
api reference
Two pipelines. One decision. Every endpoint returns a structured response your upload handler can act on immediately.
No API key required — powers the live demo below. Rate limited to 10 requests/minute, 50/hour.
Every webhook is signed with HMAC-SHA256 over the exact raw request body — hash the bytes as received, not a re-parsed/re-serialized copy, or the signature won't match. Compare using a constant-time function (never === or ==) so verification doesn't leak timing information.
Webhook delivery retries up to 3 times with exponential backoff if we don't receive a 2xx response — your handler may receive the same case_uuid + event more than once (e.g. if your ack was lost in transit even though you processed it). Dedupe on case_uuid before acting, so a duplicate delivery can't trigger remove_content twice.
const crypto = require('crypto');
const express = require('express');
const app = express();
// Use express.raw(), not express.json() — you must hash the exact raw
// bytes Corvinth sent. Re-parsing and re-stringifying JSON can reorder
// keys or change spacing, silently breaking signature verification.
app.post('/webhooks/corvinth', express.raw({ type: 'application/json' }), (req, res) => {
const signature = req.headers['x-corvinth-signature'];
const rawBody = req.body; // Buffer, not parsed JSON
const expected = crypto
.createHmac('sha256', process.env.CORVINTH_WEBHOOK_SECRET)
.update(rawBody)
.digest('hex');
const sigBuf = Buffer.from(signature, 'hex');
const expBuf = Buffer.from(expected, 'hex');
if (sigBuf.length !== expBuf.length || !crypto.timingSafeEqual(sigBuf, expBuf)) {
return res.status(401).send('Invalid signature');
}
const payload = JSON.parse(rawBody);
// Dedupe on payload.case_uuid before acting — retries can redeliver.
console.log('Verified Corvinth event:', payload.event, payload.case_uuid);
res.status(200).send('OK');
});live api demo
Submit a PDQ hash and see a real API response from the match engine. No API key required. Limited to 10 requests/minute.
Input — PDQ hash
Source tag (optional)
Live sandbox · first request may take ~10s (Render cold start)
Response
// response will appear hereonboarding
This isn't a multi-sprint project. Most engineering teams are fully integrated in a single working day.
Request access and receive API credentials — typically within 24 hours. We send you an API key and integration notes for Node.js/TypeScript and Python (SDKs in active development; raw HTTP works today).
Add a single POST call to your upload handler. The SDK computes the hash on your server — nothing else changes in your infrastructure.
Enable webhook notifications and connect the audit log export to your compliance tooling. You now have a paper trail for every decision your platform makes.
security & data handling
The first question your legal team will ask. Here is the complete answer.
Images are never sent to or stored on Corvinth servers under Pipeline 1 (Shield). The SDK runs entirely on your infrastructure. Only a 256-bit hash or a 384-dim vector crosses the network boundary. Pipeline 2 deep scans are opt-in and disclosed separately.
All API traffic uses TLS 1.3. Hash values and vectors in transit are non-reversible and cannot reconstruct the original image. Even if intercepted, a 256-bit hash reveals nothing about image content.
We store only the fingerprint, vector, and decision metadata — never original content. Hash data is retained for audit log purposes and can be configured per contract for enterprise customers.
Data Processing Agreement available. Enterprise customers can request a signed DPA before integration. Email founder@corvinth.com with your legal team's requirements.
request DPA →trust and compliance
Corvinth is built on open-source perceptual hashing and DINOv2 semantic vectors. The architecture supports optional Microsoft PhotoDNA integration — not currently active in production. When enabled, it operates on a platform opt-in basis with full disclosure in the DPA.
Images are never sent to or stored on Corvinth servers. The SDK runs on your infrastructure. Only the hash or vector crosses the network boundary.
All 8 orientations stored at index time. Rotated or flipped re-uploads are still caught by Shield. An optional second, normalized hash lane catches brightness/contrast evasion attempts that the standard lane alone would miss. Arbitrary rotations caught by Pulse.
Uses Meta PDQ for perceptual hashing and DINOv2 for semantic vectors. Both run locally via the SDK — no pixels sent to Corvinth.
We return a signal. You enforce your policy. Corvinth is the detection layer — not the decision maker.
Every decision receives a cryptographically chained audit log. Exportable for FTC or legal review at any time.
Catches violations at upload — before any removal request is filed. Evidence is already logged before any regulator asks for it.
NEAR_MISS content is allowed through, but every occurrence is logged and analyzed for coordinated evasion patterns — repeated near-variant re-uploads from the same actor get flagged for threat intelligence review, even when no single upload crosses the block threshold.
Every webhook we send is signed with HMAC-SHA256 over the raw request body. Verify the X-Corvinth-Signature header against your webhook secret before trusting a payload.
Corvinth's hashing format is compatible with the StopNCII PDQ standard. Corvinth is not currently partnered with or integrated into StopNCII's feed, and does not represent or speak for StopNCII, Meta, or any listed organization. Corvinth is an independent trust and safety infrastructure company.
the regulation
Regulatory pressure on platforms is accelerating globally. The U.S. Take It Down Act is the clearest example — but it won't be the last.
Bipartisan bill introduced in both House and Senate with broad support. Named partly in response to the Taylor Swift deepfake incident.
Near-unanimous vote. Senators cited the explosion of AI-generated NCII targeting minors and adults across social and dating platforms.
Platforms now have 48 hours to remove flagged NCII after a valid request. Failure = $53,088 per violation. The FTC has active jurisdiction.
If users can upload images on your platform, you are in scope. Dating apps, social platforms, messaging apps, creator tools — no exceptions for size.
if you do nothing
The difference between platforms that handle image safety well and platforms that don't isn't intent — it's infrastructure.
exposure calculator
$53,088 is the FTC's current civil penalty per TIDA violation — that figure is real and confirmed. There is no published benchmark for how many violations a platform like yours might actually have, so estimate a number you believe is realistic and see what it adds up to.
Hypothetical planning tool — the violation count is a number you choose, not a sourced statistic. The $53,088 figure alone is the real, FTC-confirmed number here.
pricing
Starter is Shield-only. Growth unlocks Pulse — semantic detection and the complaint registry.
Founding tier — 3 platforms only, full Shield + Pulse access from $99/mo. Once the founding tier closes, standard pricing applies from $299/mo. Email founder@corvinth.com to apply before it fills.
faq
Platforms using Corvinth can receive your complaint directly.
Your images are never stored — only a mathematical fingerprint, computed on your own device, is used for detection.
a note from the team
I built Corvinth because I watched small platforms get caught flat-footed by TIDA — not because they didn't care, but because building trust and safety infrastructure is expensive and hard and usually comes after a crisis, not before. The compliance tools that exist are built for companies with legal teams and seven-figure engineering budgets.
Corvinth is the version of this that fits in a startup's infrastructure budget, integrates in a day, and gives you the audit trail you need to show the FTC you took this seriously. I'm not anonymous — email me directly with any questions, including hard ones about what Corvinth can and cannot do.
founder@corvinth.com