Verify

Paste an Authorization Evidence Pack below. The signature is verified in your browser using WebCrypto Ed25519 (RFC 8032), against the public key fetched live from the API. Nothing leaves your machine. The math is yours.

AEP · paste here

Proof trace

  • load an AEP and click verify
  • full diagnostic trace appears here
  • signature checked client-side via WebCrypto
  • refuses to lie, no green check from this page unless the math works
  • PUBLIC KEY USED · PEM, live from /api/public/sentinel/public-key
    loading…
    OFFLINE VERIFICATION · openssl, paranoid reviewers
    echo -n '<canonical bytes>' > aep.canonical
    echo '<signature hex>' | xxd -r -p > aep.sig
    openssl pkeyutl -verify \
      -pubin -inkey pubkey.pem \
      -rawin -in aep.canonical \
      -sigfile aep.sig
    # Expected output: Signature Verified Successfully

    What this surface is, and is not

    This surface verifies that a given AEP was signed by the holder of the private key whose public counterpart is published at /api/public/sentinel/public-key. A VALID verdict here means three things, and exactly three:

    1. The bytes of the AEP (excluding the signature field) have not been altered since signing.
    2. The signature is a valid Ed25519 signature over those bytes.
    3. The signing key matches the published key id qaori-aep-v1.

    It does not assert that the underlying action was wise, lawful, or desired by anyone. The protocol separates cryptographic authenticity from policy correctness deliberately. Policy correctness is a separate layer over the same AEP stream; see §4 Compliance Tiers.