Verify
Paste an Authorization Evidence Pack below. The signature is verified in your browser using WebCrypto Ed25519 (RFC 8032), against the public key fetched live from the API. Nothing leaves your machine. The math is yours.
AEP · paste here
Proof trace
loading…
echo -n '<canonical bytes>' > aep.canonical echo '<signature hex>' | xxd -r -p > aep.sig openssl pkeyutl -verify \ -pubin -inkey pubkey.pem \ -rawin -in aep.canonical \ -sigfile aep.sig # Expected output: Signature Verified Successfully
What this surface is, and is not
This surface verifies that a given AEP was signed by the holder of the
private key whose public counterpart is published at
/api/public/sentinel/public-key. A
VALID verdict here means three things, and exactly three:
- The bytes of the AEP (excluding the signature field) have not been altered since signing.
- The signature is a valid Ed25519 signature over those bytes.
- The signing key matches the published key id
qaori-aep-v1.
It does not assert that the underlying action was wise, lawful, or desired by anyone. The protocol separates cryptographic authenticity from policy correctness deliberately. Policy correctness is a separate layer over the same AEP stream; see §4 Compliance Tiers.