Signed input
Decode
receipt.payload_b64 and verify those exact bytes. Do not reserialize JSON before verifying.Receipt protocol
craton.receipt.protocol.v1 defines how a Craton receipt can be independently verified.
Craton does not replace your approval workflow. It creates a signed boundary receipt when a covered high-risk action is evaluated, so your team, auditors, and authorized third parties can verify the record later without calling back into Craton.
Trust model
Signature
v1 receipts use Ed25519. Verify
receipt.signature over the decoded payload bytes.Key selection
receipt.kid selects the public key from the standard JWKS at /protocol/v1/jwks.json.No callback verification
A stored receipt plus the pinned JWKS can be verified offline by a third party.
Receipt JSON schema
receipt.payload_b64Base64-encoded signed receipt payload bytes.
receipt.signatureBase64-encoded Ed25519 signature over receipt.payload_b64 decoded bytes.
receipt.kidPublic key identifier used to select a verification key.
receipt.sig_algExpected signature algorithm; v1 uses ed25519.
verdictBoundary verdict vocabulary: allow, constrain, reject.
commitment_idStable signed commitment reference for the boundary snapshot.
request_idRuntime request reference returned with the boundary check.
Verification rule
- Read
receipt.payload_b64,receipt.signature, andreceipt.kid. - Fetch
/protocol/v1/jwks.jsonor use a pinned offline key bundle. - Select the Ed25519 public key whose
kidmatches the receipt. - Verify the signature over the decoded
payload_b64bytes, then read the signed payload.
Failed signature verification, unknown kid, malformed payload, or unsupported signature algorithm means the evidence is unverified.
Public endpoints
GET https://cratonlayer.com/protocol GET https://cratonlayer.com/protocol/v1/spec GET https://cratonlayer.com/protocol/v1/schema GET https://cratonlayer.com/protocol/v1/jwks.json GET https://cratonlayer.com/verify GET https://github.com/cratonlayer/craton-verify
Protocol object
{
"object": "craton.receipt.protocol.v1",
"version": "v1",
"production_write": false,
"stable_resources": {
"human_protocol": "https://cratonlayer.com/protocol",
"machine_spec": "https://cratonlayer.com/protocol/v1/spec",
"json_schema": "https://cratonlayer.com/protocol/v1/schema",
"jwks": "https://cratonlayer.com/protocol/v1/jwks.json",
"interactive_verifier": "https://cratonlayer.com/verify"
},
"compatibility_commitment": "Receipt verification semantics are stable for v1 receipts: decode receipt.payload_b64 and verify receipt.signature over those exact bytes with the Ed25519 public key selected by receipt.kid, then read the signed payload.",
"canonicalization": {
"signed_message": "Decode receipt.payload_b64 with standard base64 and verify the signature over those exact bytes.",
"verifier_must_reserialize_json": false,
"payload_bytes": {
"encoding": "UTF-8",
"producer": "Craton",
"format": "Canonical JSON bytes for the v1 signed payload.",
"determinism": "Craton emits deterministic object serialization for v1 receipts; third-party verifiers should not reconstruct these bytes from parsed JSON."
},
"signature_encoding": "base64",
"payload_encoding": "base64"
},
"stable_receipt_fields": {
"receipt.payload_b64": "Base64-encoded signed receipt payload bytes.",
"receipt.signature": "Base64-encoded Ed25519 signature over receipt.payload_b64 decoded bytes.",
"receipt.kid": "Public key identifier used to select a verification key.",
"receipt.sig_alg": "Expected signature algorithm; v1 uses ed25519.",
"verdict": "Boundary verdict vocabulary: allow, constrain, reject.",
"commitment_id": "Stable signed commitment reference for the boundary snapshot.",
"request_id": "Runtime request reference returned with the boundary check."
},
"canonical_runtime_labels": {
"gate_type": {
"canonical_field": "gate_type",
"raw_context_field": "context.gate_type_raw",
"recommended_values": [
"threshold_gate",
"privileged_access_gate",
"counterparty_release_gate",
"data_export_gate",
"deployment_approval_gate",
"manual_override_gate",
"risk_escalation_gate",
"cross_system_handoff_gate",
"cross_org_handoff_gate"
],
"closed_enum": false
},
"system_scope": {
"canonical_field": "system_scope",
"raw_context_field": "context.system_scope_raw",
"closed_enum": false
},
"decision_type": {
"canonical_field": "decision_type",
"raw_context_field": "context.decision_type_raw",
"recommended_values": [
"threshold_execution_request",
"privileged_access_request",
"counterparty_release_request",
"data_export_request",
"deployment_approval_request",
"manual_override_request",
"risk_score_escalation",
"cross_system_handoff",
"cross_org_handoff"
],
"closed_enum": false
}
},
"offline_verification": {
"public_protocol_page": "/protocol",
"machine_spec_endpoint": "/protocol/v1/spec",
"json_schema_endpoint": "/protocol/v1/schema",
"jwks_endpoint": "/protocol/v1/jwks.json",
"interactive_verifier_page": "/verify",
"offline_key_bundle_endpoint": "/self-service/verify-keys/offline-bundle",
"offline_verifier_repository": "https://github.com/cratonlayer/craton-verify",
"online_keys_endpoint": "/protocol/v1/jwks.json",
"rule": "Stored receipts can be verified with the v1 protocol spec, RFC 7517 JWKS, /verify, or the open-source offline verifier without giving Craton control over the customer host system."
},
"third_party_use": {
"allowed": true,
"required_inputs": [
"receipt.payload_b64",
"receipt.signature",
"receipt.kid",
"RFC 7517 JWKS public key"
],
"no_craton_callback_required": true,
"failure_rule": "Treat signature failure, unknown kid, malformed payload, or unsupported sig_alg as unverified evidence."
}
}