There is never an implicit guarantee that the remote service is what’s described in its manifest, though generally the reputation of the service is what’s directly considered.

What’s more, SaaS itself is just a delivery model, and doesn’t necessarily define a set of protocols or contracts between a client and a service. It merely defines an approach to building and serving a public platform. It’s a term more relevant for describing the building process of a service and it’s intended market than it is for describing the nitty-gritty operational details.

If such a thing needed to be implemented as part of the contract between the client and server, one could look at implementing a native hashing solution using HMACs. An identity mechanism could be implemented using salted access tokens similar to OAuth, but using the files of the codebase to generate the checksum. This would guarantee that if the code executed properly once, it would be the same code running so long as the hash generated did not change (though there’s once again no guarantee that the hash being publicly exposed was properly generated)

Such a thing would sound redundant however, on top of the SSL security most services generally tend to use.

The long and short of it is that if you have concerns about the service being offered over a public API, then there is probably a pretty good reason its reputation precedes it.