Skip to main content

What independent verification means

Any party with the Ed25519 public key can verify any attestation without access to your database, your server, your network, or your source code. This is by design. Verification is stateless. The attestation is self-contained. The public key is the only external dependency. Distribute your public key to regulators, auditors, counterparties, or clients. They can verify any decision you have ever made, years after the fact, without involving your team.

Minimal verification — TypeScript

import {
  verifyAttestation,
  LocalVerifier,
} from "@parmanasystems/core";
import fs from "node:fs";

// Only these two things are needed
const publicKey  = fs.readFileSync("trust/root.pub", "utf8");
const attestation = JSON.parse(fs.readFileSync("attestation.json", "utf8"));

const verifier = new LocalVerifier(publicKey);
const result   = verifyAttestation(attestation, verifier);

console.log(result.valid);
// true — all fields are intact and the signature is valid

if (!result.valid) {
  console.error("Verification failed:", result.checks);
}
verifyAttestation is synchronous. It makes no network calls. It reads no files other than what you provide.

Expected result

A valid attestation returns: 
{
  valid: true,
  checks: {
    signature: "verified",
    runtime: "verified",
    schema: "verified"
  }
}
An invalid attestation returns valid: false with one or more checks set to "failed".

Minimal verification — verifier-cli

For parties without a Node.js environment, the verifier-cli provides a standalone command: 
npm install -g @parmanasystems/verifier-cli

parmana-verify \
  --attestation attestation.json \
  --public-key trust/root.pub
Expected output when valid: 
✓ Signature verified
✓ Runtime identity confirmed
✓ Schema compatible
  executionId:           claim-CLM-2024-00441
  policyId:              claims-approval
  policyVersion:         1.0.0
  decision.action:       approve
  decision.reason:       Approved: gold tier within standard limit.
  execution_fingerprint: a3f8d2c1e4b5f6a7...
  runtimeVersion:        1.0.0
  signerKeyId:           parmanasystems-root-2026
Expected output when invalid: 
✗ Signature verification FAILED
  The attestation has been modified or the wrong public key was provided.
  Do not rely on this decision record.

What independent verification does NOT check

Independent verification confirms the signature and schema. It does not:
  • Confirm that the signals values are accurate (that is your system’s responsibility)
  • Confirm that the policyId/policyVersion bundle is the policy you intended (verify the bundleHash separately using verifyBundle)
  • Confirm that the action was actually taken (use POST /confirm-execution for that)

Distributing the public key

The public key is at trust/root.pub. It is a PEM-encoded Ed25519 public key: 
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA...
-----END PUBLIC KEY-----
This file is safe to distribute publicly. It contains no secret material. Include it in:
  • Your API documentation
  • Your compliance reports
  • Your contracts and terms of service
  • Your regulatory disclosures

Audit workflow for regulators

A regulator or auditor can verify any decision with this workflow:
  1. Receive the attestation JSON from you (or retrieve it from your published audit log)
  2. Receive your public key (from trust/root.pub)
  3. Run verification:
npx @parmanasystems/verifier-cli verify-attestation \
  --attestation provided-attestation.json \
  --public-key provided-root.pub
  1. Read the output the decision, policy version, and rule matched are all in the verified output
  2. If they want to confirm the policy content, compare the bundleHash from the attestation against the policy bundle you provide
At no point do they need access to your database, your server, or your infrastructure.

Troubleshooting

Verification fails for a valid attestation The most common cause is using the wrong public key. Ensure the public key matches the signerKeyId in the attestation. If you have rotated keys, you need the public key from the key that was active when the attestation was produced. result.valid: false, checks.signature: "failed" One or more fields in the attestation JSON were modified after signing. Do not treat this attestation as proof. verifier-cli not found — Install with npm install -g @parmanasystems/verifier-cli or run with npx @parmanasystems/verifier-cli verify-attestation ....