Skip to content

Reproducibility & open-source plan


OpenReceipt specification

ItemStatus
Spec documentPublishedsignedreceipts.org/spec
Extension registryPublishedsignedreceipts.org/spec/extensions
Spec source archivePublishedsignedreceipts.org/source/spec
VersionOpenReceipt v3 (client-signed + gateway-countersigned; legacy v1/v2 continue to verify)

The OpenReceipt wire format is the envelope used by CloakAPI for all signed receipts. The published specification defines the JSON envelope, the canonicalisation rules (RFC 8785 JCS), the signing procedure (ECDSA P-256 over the canonical serialised body), the chain-linking structure, the three trust tiers (gateway-countersigned / beacon-anchored / local-only), and the gateway countersignature. The current envelope version is v3: the receipt is signed by the client that performed the tokenisation before egress, and optionally countersigned by the gateway. Legacy v1/v2 receipts remain verifiable indefinitely.


Reference verifiers

ItemStatus
Live browser verifierPublishedapp.cloakapi.io/receipt-verifier (runs entirely in your browser)
JavaScript reference verifierPublishedsignedreceipts.org/verifier + source at /source/reference-typescript
Python reference verifierPublishedsignedreceipts.org/source/reference-python
Rust reference implementationPublishedsignedreceipts.org/source/reference-rust
Verifier CLIPublishedsignedreceipts.org/source/verifier-cli
Verification guideVerifying a receipt

The reference verifiers are standalone (no CloakAPI SDK dependency). Any third party can verify a receipt given only:

  1. The receipt JSON envelope. v3 receipts are self-contained — the attester public key is embedded, so verification works fully offline.
  2. For gateway countersignatures: the JWKS from https://api.cloakapi.io/api/.well-known/cloakapi-receipt-pubkeys.jwks.
  3. (Optionally) the transparency seed feed.

Reference sources are published as versioned tarballs under signedreceipts.org/source — the project is developed in a private tree and published there, not on GitHub. The verify receipt guide documents the manual steps.


Conformance test suite

ItemStatus
Conformance test suitePublishedsignedreceipts.org/conformance
Test vectorsPublished — fixtures + self-run instructions at /source/conformance

The conformance suite defines canonical test vectors for:

  • Valid receipt verification (positive cases).
  • Invalid signature rejection (tampered body, wrong key, expired kid).
  • Chain hash validation (gapless seq, prev_hash continuity, fork rejection).
  • JWKS resolution and revoked: true handling.

Third parties implementing an OpenReceipt verifier can run this suite to confirm conformance and claim the badge.


SLSA build provenance

SLSA levelDescriptionCloakAPI status
L0No provenanceCurrent
L1Provenance exists (unsigned)Not yet
L2Signed provenance, hosted buildNot yet
L3Hermetic, reproducible builds; signed provenanceRoadmap

What SLSA L3 would provide

  • Build recipes are verifiably complete — no implicit inputs.
  • Build environment is hermetic — network access blocked during build.
  • Provenance is generated and signed by the build platform.
  • Consumers can verify that a published artifact matches a specific source commit.

Roadmap path

  1. Add SLSA L1 provenance generation to CI (next milestone).
  2. Adopt hermetic build environments (L2).
  3. Publish signed provenance bundles alongside container images and gateway releases (L3 target).

Summary table

ArtifactPublished todayWhere
OpenReceipt spec (v3)Yessignedreceipts.org/spec
Extension registryYessignedreceipts.org/spec/extensions
Live browser verifierYesapp.cloakapi.io/receipt-verifier
Python reference verifierYessignedreceipts.org/source/reference-python
JS/TS reference verifierYessignedreceipts.org/source/reference-typescript
Conformance test suiteYessignedreceipts.org/conformance
SLSA L1 provenanceNoNext milestone
SLSA L3 provenanceNoRoadmap
JWKS endpointYeshttps://api.cloakapi.io/api/.well-known/cloakapi-receipt-pubkeys.jwks
Transparency seed feedYes (opt-in)https://api.cloakapi.io/api/v1/transparency/seeds.jsonl
Receipt verification guideYesVerifying a receipt