Signed receipts
Offline-verifiable, Ed25519-signed receipts that prove what an agent did, on whose authority, under which policy — without trusting Nolixan.
Every governed action and every redaction produces a receipt: a signed, tamper-evident record you can verify offline, with no call back to Nolixan. This is the provability layer — hand an auditor a receipt and a public key and they can confirm exactly what happened.
What's in a receipt
A receipt commits to the action's identity and decision and binds it into a tamper-evident structure:
- Ed25519 signature over the RFC 8785 JCS canonical form of the payload.
signer_public_key— the environment's signing key (hex).- A Merkle inclusion proof (
merkle_leaf_hash,merkle_proof,merkle_tree_root) tying the action into the audit batch. - Action metadata: provider, action, decision, identity hashes, timestamps — never raw arguments or PII (arguments are SHA-256 hashed; sensitive content is redacted first).
Signing requires RECEIPT_SIGNING_KEY to be set (see Deployment); without it, receipts are returned unsigned.
Get a receipt
A governed action's receipt is returned on the approval/execution record:
The public verify page also accepts a pasted receipt and checks it in the browser.
Verify offline
Save the receipt object to a file and run the standalone verifier — it has no network dependency:
Redaction receipts
Data redaction emits its own counts-only chain (class, count, action, ruleset version, boundary — no values). Export and verify it the same way:
Why offline verification matters
- Trust nothing. A regulator or counterparty verifies with the public key alone — they don't have to trust (or even reach) Nolixan.
- Tamper-evident. Any edit to a recorded action breaks the hash chain and the signature.
- Portable. Receipts export as CSV/JSON, CloudEvents, or in-toto/SLSA provenance. See Audit log and Compliance.