Verify a Receipt

Paste an AIIR commit receipt below. Verification runs entirely in your browser — no data is sent to any server.

How verification works

  1. Extract the 6 CORE_KEYS (type, schema, version, commit, ai_attestation, provenance)
  2. Serialize them as canonical JSON (sorted keys, no whitespace, ASCII-safe)
  3. Compute SHA-256 of the canonical JSON string (UTF-8 encoded)
  4. Compare the computed hash against content_hash and receipt_id

Change any byte in the core fields — the hash won't match. This verification is identical to running aiir --verify receipt.json.

Trust tiers

This browser verifier checks Tier 1 — content hash integrity. It proves the 6 core fields haven't been modified since the receipt was generated. However, anyone who can run aiir on the same commit can produce an identical unsigned receipt.

For Tier 2 — Sigstore signing (cryptographic non-repudiation), verify the accompanying .sigstore bundle with: aiir --verify receipt.json --verify-signature

Read the full specification → · See all test vectors →