TrigGuard
TRIGGUARD VERIFY_GUIDE
Request access

Receipt verification guide

Offline verification using published authority keys, canonical JSON, and Ed25519. Use the Receipt Explorer for an interactive check, or follow the steps below in your own runtime.

HOW VERIFICATION WORKS

Execution receipts and independent verification

Execution receipts are self-contained proof of what TrigGuard evaluated and decided. With cached public keys, verification is local and independent: teams can validate integrity without calling TrigGuard during audits or incident review.

1. Fetch keys once

Load public keys from /.well-known/trigguard-keys.json. Cache locally.

2. Build canonical payload

Extract signed fields (for example decision, policyFingerprint, reason, timestamp); serialize as UTF-8 JSON with keys sorted lexicographically (same as Swift .sortedKeys and the Node SDK).

3. Verify Ed25519

Use crypto.subtle.verify (WebCrypto) or the CLI over those UTF-8 bytes with receiptSignature (base64) and the authority public key.

4. Check expiry

Ensure the receipt has not expired (for example expires_at when present).

KEY DISCOVERY

Signature verification and integrity

TrigGuard publishes signing keys at a well-known URL so signatures on receipts can be validated cryptographically. Keys rotate periodically while prior keys remain available long enough to verify historical receipts.

GET https://www.trigguardai.com/.well-known/trigguard-keys.json

Key rotation

Keys are rotated quarterly. Deprecated keys remain available for 90 days after rotation to allow verification of older receipts.

EXAMPLES

WebCrypto (browser)

Import the SPKI public key, build the canonical UTF-8 payload your receipt signs, then call subtle.verify with algorithm Ed25519. The Receipt Explorer implements the same path for copy-paste receipts.

// Pseudocode: import SPKI, verify Ed25519 over canonicalUtf8Bytes
await crypto.subtle.verify(
  { name: "Ed25519" },
  publicKey,
  signatureBuffer,
  canonicalUtf8Bytes
);

CLI

trigguard verify-receipt --receipt receipt.json

Exact flags follow the TrigGuard CLI; this page documents the trust model, not a pinned CLI version.

Node

Use the official SDK or @noble/ed25519 with the same canonical JSON bytes as the browser and CLI.

import { verify } from "@noble/ed25519";
// canonicalUtf8Bytes from sorted-keys JSON; signature from receipt
const ok = await verify(signature, canonicalUtf8Bytes, publicKey);

TRUST MODEL

Why verification matters

Verification does not require TrigGuard to be online. Your audit trail is cryptographic proof of policy outcome, not a live query to a control plane. This makes execution decisions independently verifiable across CI, runtime, and compliance workflows.

Network required Only for key discovery (cacheable)
Verification location Your infrastructure (offline)
Algorithm Ed25519 (authority receipts)
Key format PEM SPKI, raw hex, or raw base64

RELATED

Related protocol documentation

Receipt Explorer · Execution authorization flow · Protocol overview · Receipt schema · Receipt verification (long-form) · Protocol playground · Gate