AttestLayer AttestLayer
Contact

Verifier documentation

What verify.attestlayer.com checks, what it does not check, and how to use it.

Applies to: verify.attestlayer.com public verification surface (online verifier, sample-kit verification, JSON inspection). Verification proves cryptographic integrity of the kit. It does not verify the truth of the underlying business claims.

What the verifier checks

  • Manifest hash matches the included files.
  • Receipt signature is valid against the published issuer JWKS.
  • Checkpoint and registry status (where applicable).
  • Kit structure and required files are present and well-formed.

What the verifier does not check

  • Whether the underlying business claim is true.
  • Whether any reviewer, buyer, regulator, insurer, bank, PSP, or auditor will accept the kit.
  • Audit, certification, legal, regulatory, or procurement opinions.
  • Whether the kit issuer is fit for any specific purpose.

How to verify a sample kit

  1. Open /sample/verifier for a guided sample run.
  2. Or upload a kit.zip on the home page to run an in-browser verification.
  3. Inspect the structured JSON output at /{slug}/json for any verified slug.

Online verifier

The online verifier runs in the browser for sample/offline kits. Network requests may be used for static assets, policy pages, or explicitly requested registry lookups (for example, JWKS retrieval and checkpoint chain lookups).

Offline verifier

For air-gapped or independent verification, download the offline verification kit from registry.attestlayer.com/v1/verify-kit.zip. The kit includes JWKS, latest checkpoints, and verification scripts so the kit can be checked without contacting the AttestLayer surface.

Manifest, receipt, signature

  • Manifest: enumerates files in the kit with their canonical hashes.
  • Receipt: signed statement binding the manifest hash to an issuer key and timestamp.
  • Signature: Ed25519 signature over the canonical receipt body, verifiable against the published issuer JWKS.

Registry status

Where a kit references a registry-published commitment, the verifier can resolve the leaf and inclusion proof against registry.attestlayer.com. Current public tree size may be 0 until production PASS entries are published.

Non-guarantee

Verification checks cryptographic integrity of the kit. It does not verify the truth of the underlying business claims.

AttestLayer is record-only. The verifier does not certify compliance, replace audit work, provide legal advice, or guarantee acceptance by any reviewer, buyer, regulator, insurer, bank, PSP, or auditor.

Verify is a public, read-only verification surface. It does not create a paid service relationship on its own.