Documentation
AIBOM export
Public JSON manifest of every AI model and subprocessor in your stack.
Last updated May 6, 2026
The AIBOM (AI Bill of Materials) is a machine-readable manifest
of every AI system and subprocessor in your published trust center. It's
served at /aibom.json on your trust center.
Format
We follow the CycloneDX ML-BOM
schema, with a small x-attestly extension that includes our citation
metadata.
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"version": 4,
"metadata": {
"timestamp": "2026-05-06T15:00:00Z",
"component": { "name": "yourcompany", "type": "application" }
},
"components": [
{
"type": "machine-learning-model",
"name": "gpt-4o",
"publisher": "OpenAI, L.L.C.",
"x-attestly": {
"purpose": "Customer chat",
"riskClass": "limited",
"humanInTheLoop": true,
"source": { "filePath": "src/server/chat.ts", "line": 42 }
}
},
{
"type": "service",
"name": "Stripe",
"publisher": "Stripe, Inc.",
"x-attestly": { "isAi": false, "purpose": "Payments" }
}
]
}
Why this matters
A growing number of enterprise procurement teams and government tenders require an AIBOM as part of their RFP response. Having one already published saves you from filling out the same spreadsheet for every customer.
Versioning
The AIBOM is versioned — /aibom.json?v=12 returns version 12. The latest
version is always available at /aibom.json without query parameters.
Webhooks
Subscribe to AIBOM changes:
curl -X POST https://api.attestly.dev/v1/webhooks \
-H "Authorization: Bearer $ATTESTLY_API_KEY" \
-d '{ "event": "aibom.changed", "url": "https://yourcompany.com/hooks/aibom" }'
You'll receive a POST whenever the AIBOM changes — useful for keeping internal inventories in sync.