Verify a Receipt

Paste an AIIR JSON receipt below. Verification runs entirely in your browser — no data is sent to any server.

Need a receipt to test with? Start in the demo, then paste the sample here.

Browser verification currently accepts JSON receipts. For .cbor sidecars, use aiir --verify receipt.json or the CLI CBOR verification flow locally.

Receipt details

How verification works

  1. Extract the 6 CORE_KEYS (type, schema, version, commit, ai_attestation, provenance)
  2. Serialize them as canonical JSON (sorted keys, no whitespace, ASCII-safe)
  3. Compute SHA-256 of the canonical JSON string (UTF-8 encoded)
  4. Compare the computed hash against content_hash and receipt_id

Change any byte in the core fields — the hash won't match. This browser path is the same integrity check as running aiir --verify receipt.json on a JSON receipt.

Verification tiers

This browser verifier checks Tier 1 — content hash integrity. It proves the 6 core fields haven't been modified since the receipt was generated. It does not prove who generated the receipt, whether the authorship classification is true, or that the receipt came from a trusted workflow.

For Tier 2 — Sigstore signing (cryptographic non-repudiation), signed receipts add workflow identity and transparency-log evidence. If someone rewrites the core fields and recomputes content_hash and receipt_id, an unsigned receipt can still validate at Tier 1. Verify the accompanying .sigstore bundle with: aiir --verify receipt.json --verify-signature

Read the full specification → · See all test vectors →