Verify a receipt independently
Upload a receipt for cryptographic verification, or compute a BLAKE3 digest locally. Client-side only — nothing leaves your browser.
Verify a receipt envelope using the canonical VertRule verifier (WASM). Checks digest integrity, chain linkage, ordering, and signature if present.
Loading verifier...
Try a sample from the incident-response scenario:
Drop a receipt JSON file or click to select
Client-side only — nothing leaves your browser
What this proves
- Envelope structure — the receipt is valid JSON with all required fields present and a recognized schema version
- Canonicalization — the envelope matches JCS canonical form (RFC 8785), ensuring the same bytes produce the same hash on any platform
- Digest integrity — the BLAKE3 hash
of the canonical envelope matches the declared
event_hash, proving the receipt has not been modified since it was issued - Tamper detection — if any field has been changed after the receipt was issued, verification fails and the specific mismatch is reported
What this does not prove
- That the action described in the receipt was actually attempted or executed — verification confirms the receipt is intact, not that the underlying event occurred
- That the policy decision was correct — verification confirms the receipt was issued by the runtime, not that the policy itself is appropriate
- Identity of the issuing runtime — signature verification is supported when a signature bundle is present, but these sample artifacts are unsigned
Receipt envelope schema
{
"envelope_version": 1,
"receipt_type": "event",
"event_hash": "befdf1a1...680e",
"logical_time": 300,
"payload": { "action": "execute_sql", "verdict": "denied" },
"context_digest": "aaaa...aaaa",
"policy_digest": "cccc...cccc",
"schema_digest": "bbbb...bbbb"
}