The Trust Receipt format.
A Trust Receipt is a signed statement about an AI tool, prompt, or piece of content. It is designed so anyone can verify it independently, offline, without trusting queldrex.com. The format is open and MIT-licensed on purpose: a trust claim you cannot check yourself is worthless.
Structure
A receipt is an object with a signed payload plus the signature and the public key needed to check it.
{
"payload": {
"id": "rcpt_<32 hex>",
"version": 1,
"issuer": "queldrex",
"ruleset": { "id": "queldrex:baseline", "version": "2026.07.1" },
"subject": { "kind": "mcp_tool|text|content", "name": "...", "hash": "<sha256>" },
"verdict": "safe|unsafe|uncertain",
"riskScore": 0,
"confidence": "low|moderate|high",
"reasonCodes": ["tool_poisoning.hidden_instruction", "..."],
"detectors": ["mcp-tool@1", "model-judge@1", "..."],
"issuedAt": "<ISO 8601>",
"expiresAt": "<ISO 8601>"
},
"algorithm": "ed25519",
"keyId": "<key id, for rotation>",
"signature": "<base64 signature over canonical(payload)>",
"publicKey": "<base64 SPKI DER Ed25519 public key>"
}Canonicalization
The signed bytes are the payload with its top-level keys sorted, then JSON.stringify. Reproduce this exactly to verify.
function canonicalize(payload) {
const ordered = {}
for (const k of Object.keys(payload).sort()) ordered[k] = payload[k]
return JSON.stringify(ordered)
}
// verify: Ed25519.verify(signature, canonicalize(payload), publicKey)Verify it yourself
Use the zero-dependency reference verifier, or the two lines above with any Ed25519 library.
npm i @queldrex/verify
import { verify } from '@queldrex/verify'
const res = await fetch('https://queldrex.com/api/trust/receipt/<id>').then(r => r.json())
const { valid, signatureValid, expired, issuerConfirmed } =
await verify(res.receipt, { checkIssuer: true })To confirm a receipt is genuinely ours (not just internally valid), check its keyId / publicKey against our published key at /api/trust/pubkey. Signed manifests (evidence bundles) use recursively-sorted-key JSON and verifyManifest.
Self-documentation (_verify)
So a file explains how to trust itself, artifacts carry a _verify block. In an evidence bundle it lives inside the signed manifest (tampering the instructions breaks the signature); in a receipt API response it lives in the envelope beside the untouched signed receipt. Either way it points to the same offline check.
"_verify": {
"cli": "npx @queldrex/verify <this-file>.json",
"spec": "https://queldrex.com/verify/spec",
"publicKey": "https://queldrex.com/api/trust/pubkey",
"algorithm": "ed25519"
}If you adopt this format, follow the same convention so any holder of your receipts can verify them without reading your docs first.
The spec and the verifier are open. Anyone can issue or check receipts in this format. Our aim is a common, verifiable receipt for AI trust decisions that outlives any one vendor, aligned with the DSSE / in-toto attestation envelope and the OpenID AuthZEN decision API. This is evidence, not a guarantee or legal advice.