Skip to content
CloakAPI docs

Verifying a receipt

In the browser

The fastest way is the public verifier at app.cloakapi.io/receipt-verifier. Paste a receipt JSON, press Verify. No login required. The page calls the public POST /api/v1/receipts/verify endpoint and renders a per-step breakdown.

From the CLI

Terminal window
curl -X POST https://api.cloakapi.io/api/v1/receipts/verify \
  -H 'Content-Type: application/json' \
  -d "{\"receipt\": $(cat receipt.json)}"

Returns:

{
  "valid": true,
  "reason": null,
  "checks": [
    {"label": "Schema valid (OpenReceipt v1)", "status": "ok", "detail": "0.4 ms"},
    {"label": "Algorithm allow-listed", "status": "ok", "detail": "ecdsa-p256-sha256"},
    {"label": "Signature (ecdsa-p256-sha256)", "status": "ok", "detail": "8.1 ms"},
    {"label": "Chain link present", "status": "ok", "detail": "seq 47"}
  ]
}

200 means valid; 422 with valid: false and a per-step checks array means at least one check failed — the array tells you which.

In your own code

A receipt is just a signed JSON object. Any standard ECDSA-P-256-SHA-256 verifier works — the gateway is just a convenience wrapper.

Pseudocode:

jwks  = HTTP GET /.well-known/cloakapi-receipt-pubkeys.jwks
key   = jwks[receipt.kid]
canon = json_canonicalize(receipt without "signature")
ok    = ecdsa_verify(key, sha256(canon), receipt.signature)

The reference implementation is at packages/open-receipt-rs in the CloakAPI repo (Rust, FIPS-compliant via aws-lc-rs).