User disclosure

When user_notice appears

The user_notice envelope field is present on every successful response classified as limited or high risk. Minimal-risk responses do not carry it. Prohibited responses are blocked with 403 and never reach this surface.

Fields

Example

{
  "user_notice": {
    "disclosure": "This automated decision uses AI. You have the right to request human review.",
    "appeal_instructions": "Contact [email protected] to request a human review of this decision."
  }
}

Enforcement token

Limited and high-risk responses now carry an enforcement_token nested inside user_notice. It's an HS256-signed JWT (5-minute TTL) whose aud claim binds it to the request id and whose Meridian-namespaced claims describe the disclosure copy and risk level. First-party SDKs verify the signature, refuse to render the response until the disclosure has been displayed, and POST the token's jti back to /api/v1/literacy/ack once the user has acknowledged it — so a regulator audit can cryptographically prove the notice was shown, not just that we sent it.

{
  "user_notice": {
    "disclosure": "This response was generated by AI.",
    "appeal_instructions": "Contest at /api/v1/appeals",
    "enforcement_token": "eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJtZXJpZGlhbi1ibHVlLWNvbnRyb2wtcGxhbmUiLCJzdWIiOiI2NTMxYTguLi4iLCJqdGkiOiJlbmZfMDFKMi4uLiIsImF1ZCI6InJlcV8wMUoyLi4uIiwibWI6bm90aWNlX3R5cGUiOiJhaV9nZW5lcmF0ZWQiLCJtYjpyaXNrX2xldmVsIjoibGltaXRlZCIsIm1iOmRlZXBmYWtlX2xhYmVsX3JlcXVpcmVkIjpmYWxzZSwibWI6bXVzdF9kaXNwbGF5X2JlZm9yZV9yZW5kZXIiOnRydWV9.signature"
  }
}

For backends or non-SDK clients consuming the API directly, you may verify and consume the token yourself — the response also carries an X-Meridian-Disclosure-Required: true header so a reverse proxy can route disclosure-required responses to a stricter renderer without parsing the body.