Docs / Verify a record
Developers · Evidence
Verify a record
Every decision SANSAR makes is emitted as a signed record. Anyone holding one can verify it independently — no SANSAR server involved.
Verification is pure cryptography: check the signature against the published key, then check the record's place in the chain. This is what your auditor gets, for every agent action.
● ED25519 VALID
What's in a record
{
"alg": "Ed25519",
"record": {
"id": "SANSAR://v1/DEC-20260704-091500",
"action": "refund",
"verdict": "allow",
"agent": "billing-bot",
"ts": "2026-07-04T09:15:00Z"
},
"sig": "base64( Ed25519 signature over the canonical record )",
"prev": "hash of the previous record // Merkle chaining"
}
The record is canonicalised, hashed (SHA-256), and signed with an Ed25519 key held on an HSM. Each record references the previous one, so the whole log is tamper-evident — you cannot alter or remove a record without breaking the chain.
How to verify
- Take the record and its detached signature.
- Fetch the signer's public key (published by the deployment; sovereign deployments hold their own keys).
- Verify the Ed25519 signature over the canonical record bytes.
- Check that
prevmatches the hash of the preceding record to confirm chain position.
Browser · WebCrypto
const key = await crypto.subtle.importKey(
"jwk", publicJwk, { name: "Ed25519" }, false, ["verify"]);
const ok = await crypto.subtle.verify(
"Ed25519", key, signatureBytes, canonicalRecordBytes);
console.log(ok ? "ed25519 VALID" : "VERIFICATION FAILED");
Command line · OpenSSL
openssl pkeyutl -verify -pubin -inkey pub.pem \ -rawin -in record.canonical -sigfile record.sig
Verified locally, no server involved. The signature either checks out or it doesn't — there's nothing to trust but the math.
You can watch verification run in your browser on seeded data in the live demo. For the full verification specification and a deployment's public keys, email info@sansarai.ai.