identity – Validate that Web Service is authentic

If I have a web service (REST API, RPC, etc) that I open source, how can I prove to the user that the service they are connecting with is indeed the same one whose source I published. I am envisioning an endpoint they could query and get some kind of hash/signature they can validate.

The problem seems that the API service could easily forge the returned token.