Signature
The receipt signature matches the signed payload bytes.
Receipt verifier
How to verify receipts.
Use this page to verify a Craton receipt. Paste the receipt JSON returned by /v1/boundary/check. Craton verifies the Ed25519 signature over the decoded receipt.payload_b64 bytes using public key material selected by receipt.kid. No JSON reserialization is required.
No receipt verified yet.
What this verifies
Key
The receipt
kid maps to a published Ed25519 public key.Payload
The decoded payload includes the commitment ID, verdict, request ID, and signed boundary facts.
This tool verifies signed receipt evidence. It does not confirm that your underlying approval workflow, authorization event, or downstream business action occurred.
Offline verifier
import base64
import json
import requests
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
def b64decode_padded(value, *, urlsafe=False):
value = str(value).strip()
value += "=" * ((4 - len(value) % 4) % 4)
decoder = base64.urlsafe_b64decode if urlsafe else base64.b64decode
return decoder(value)
receipt = RESPONSE_FROM_BOUNDARY_CHECK["receipt"]
jwks = requests.get("https://cratonlayer.com/protocol/v1/jwks.json", timeout=10).json()
keys = jwks["keys"]
key = next(item for item in keys if item["kid"] == receipt["kid"])
public_key = Ed25519PublicKey.from_public_bytes(b64decode_padded(key["x"], urlsafe=True))
payload_bytes = b64decode_padded(receipt["payload_b64"])
signature_bytes = b64decode_padded(receipt["signature"])
public_key.verify(signature_bytes, payload_bytes)
payload = json.loads(payload_bytes.decode("utf-8"))
print("verified", payload["commitment_id"], payload["verdict"])
Standalone offline kit
Download the standalone verifier and keep it with retained receipts and a pinned JWKS. The kit runs locally without calling Craton, so stored receipts remain independently verifiable if this service is unavailable.