Verify

Check a published receipt.

Use this page to see what a published receipt can show now, what it cannot show, and what to inspect next.

This verifier checks receipt JSON in receipt-first v1 mode. It does not currently accept proof-bundle uploads, and it does not claim to prove the full runtime story.

If a check passes, read the trust limits before relying on the result. If it fails, read the named breach or failure before trusting any claim built on top of it.

The sample buttons below load verifier fixtures: public sample receipts used to show clean pass, named failure, and fail-closed behavior. They are not live customer artifacts.

Sample class: Verifier fixtures

Mode: Public verifier

Scope: Receipt-first v1

Try a sample receipt How verification works

What this can show

The public verifier checks supported receipt JSON in receipt-first mode: schema, stage, signature fields, timestamp references, and receipt-level consistency checks.

What this cannot show

It does not prove that every action was correct, that every decision was right, or that you now know the full story of an incident.

Verifier mode

This public surface runs in receipt-first v1 mode. Proof-bundle uploads and unsupported receipt classes fail closed.

Data handling boundary

Browser input is sent to /api/verify for receipt-level checks in receipt-first v1 mode. Make sure that matches your handling rules before you submit a production artifact.

First run

1. Try a known-good sample

Expected outcome: valid for a known-good receipt.

This shows the verifier can reproduce a clean receipt pass path.

2. Try a known-bad sample

Expected outcome: invalid or input rejected with a named breach or failure.

This shows that failure is visible and explained, not hidden.

3. Try your own receipt

Expected outcome: a receipt-scoped result with clear trust limits.

This applies the same rules to your real artifact.

Result verdicts

Valid

The required checks for the declared receipt scope passed. On /verify v1, this is receipt-scoped and does not prove artifact-byte revalidation or bundle completeness.

Invalid

One or more proof-bearing receipt checks failed.

Indeterminate

The receipt may be coherent, but a required outside trust condition could not be established locally.

Artifact state matrix

Verifier fixtures

Status: sample fixture
Mechanism: Receipt JSON examples loaded into the receipt-first console to show clean pass, named failure, malformed input, and fail-closed behavior.
Boundary: Fixtures are not live customer artifacts and do not prove production workflow truth or bundle completeness.

Receipt-first console

Status: public verifier surface
Mechanism: Browser input is sent to /api/verify for receipt-level checks in receipt-first v1 mode.
Boundary: A valid result is receipt-scoped. It does not prove artifact-byte revalidation, source-system honesty, or the full runtime story.

Published first-party proof bundles

Status: published first-party bundle
Mechanism: Downloadable ZIP bundles include bounded first-party WitnessOps proof materials such as receipt, signer registry, source artifacts, hashes, and verifier-facing instructions.
Boundary: These bundles prove bounded WitnessOps-owned statements only. They are not live customer proof artifacts unless explicitly labeled otherwise.

Published first-party proof bundles

Downloadable proof bundles

Each downloadable ZIP is presented for offline verification with its included receipt, signer registry, source artifacts, and verifier-facing instructions. These bundles prove bounded WitnessOps-owned statements only. They are not live customer proof artifacts unless explicitly labeled otherwise. The public receipt console below remains receipt-first v1.

Published first-party proof bundle

External Exposure Proof Bundle — First Run

published

Run ID: external-exposure-20260427T140210Z
Workflow: external-exposure-proof-run-v1
Target: witnessops.com
Verifier result: valid
ZIP SHA-256: a96cd612c98e6a9875c8f1930a7a2e38d6ac32b6c34fdf04f09461ba9d4b9f4c

Download proof bundle Evidence bundle docs

Published first-party proof bundle

API Authorization Proof Bundle — First Run

published

Run ID: api-authorization-20260427T161038Z
Workflow: api-authorization-proof-run-v1
Target: witnessops.com
Verifier result: valid
ZIP SHA-256: 1e567ef2b5cd10f5edbe3b46309ebfdae49d53fd33583b915a9f704fccf3620a

Download proof bundle Evidence bundle docs

Verify Input

Paste receipt JSON, upload a `.json` file, or load a deterministic fixture.

Upload JSON

{
  "schema_version": "1.0.0",
  "proof_stage": "PV",
  "receipt_id": "rcpt_pv_001",
  "run_id": "run_001",
  "created_at": "2026-03-16T12:34:56Z",
  "subject": {
    "kind": "spawn-run",
    "tool": "spawn",
    "tool_version": "0.9.0",
    "workflow": "web-recon",
    "agent": "web-recon",
    "mode": "lab",
    "target": {
      "input": "127.0.0.1",
      "normalized": "127.0.0.1",
      "classification": "ipv4"
    },
    "environment": {
      "host_os": "Linux",
      "host_arch": "x86_64",
      "runtime": "bun",
      "runtime_version": "1.2.0"
    }
  },
  "materialization": {
    "status": "completed",
    "started_at": "2026-03-16T12:30:00Z",
    "completed_at": "2026-03-16T12:34:56Z",
    "artifacts": [
      {
        "path": "state.json",
        "media_type": "application/json",
        "size_bytes": 7034,
        "mtime_epoch": 1773657229
      },
      {
        "path": "manifest.json",
        "media_type": "application/json",
        "size_bytes": 1024,
        "mtime_epoch": 1773657230
      },
      {
        "path": "runbook-summary.md",
        "media_type": "text/markdown",
        "size_bytes": 420,
        "mtime_epoch": 1773657230
      }
    ],
    "artifact_count": 3
  },
  "integrity": {
    "canonicalization": {
      "receipt_c14n": "JCS-8785",
      "manifest_c14n": "line-v1"
    },
    "digest_algorithms": ["sha256"],
    "primary_digest_algorithm": "sha256",
    "record_digest": {
      "algorithm": "sha256",
      "value": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
    },
    "manifest": {
      "format": "flat-hash-list-v1",
      "artifact_hashes": [
        {
          "path": "state.json",
          "algorithm": "sha256",
          "digest": "50ef13218f362aac6550744f4f9d44aba79dd5bd1410f4ff434dfb8dce45a98b"
        },
        {
          "path": "manifest.json",
          "algorithm": "sha256",
          "digest": "d667708b1306a0905b7632eaa4978ec4369b9bbad43864457bc58798708a1244"
        },
        {
          "path": "runbook-summary.md",
          "algorithm": "sha256",
          "digest": "9f60861ec8ebfe65221ad24f302c143d182728a965a7f319e3b3f388f59d3cc8"
        }
      ]
    }
  },
  "attestation": {
    "type": "local-signature",
    "signature_algorithm": "ed25519",
    "signing_key": {
      "key_id": "local-ed25519-fixture-01",
      "public_key": "MCowBQYDK2VwAyEAUjRWN1RNdWja5sPL5EnAtTbyhoeWHUSqI3KEsDYtwXk="
    },
    "signed_subject": {
      "type": "record_digest",
      "algorithm": "sha256",
      "value": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
    },
    "signature": "i5oDreV2DUD7XFWnPdnAmDx9EklB27xLwNzceFAr1NafbQggxj+ZF4KDNcn4dp7w/gUhY+G8yRNoYKrWLxE1Ag=="
  },
  "anchoring": {
    "rfc3161": {
      "status": "not_present"
    }
  },
  "witnesses": []
}

/verify v1 accepts receipt JSON only. Bundles, mixed payloads, and unsupported receipt classes fail closed.

verify receipt

> paste a receipt JSON document or load a fixture

Keep going with the verification docs.

Use the docs below to inspect receipt structure, verification scope, and trust limits in more detail.

Verify First Quickstart Verification Docs Receipt Basics Receipt Spec Trust Limits