Independent verifier for AqtaCore attestation receipts. Verifies the Ed25519 signature on an attestation receipt without trusting any third-party server. Reference implementation of ATTESTATION-v1.
Project description
aqta-verify-receipt
Independent verifier for AqtaCore attestation receipts. Checks the Ed25519 signature on an enforcement-attestation receipt using only the published public key: no dependency on Aqta's servers.
Why this exists
AqtaCore returns a signed receipt with every AI enforcement decision. Regulators, auditors, and internal compliance teams need to verify those receipts independently, without trusting the issuer. This package is the reference implementation of that verifier, maintained by Aqta under the open ATTESTATION-v1 format specification.
Install
pip install aqta-verify-receipt
Usage
from aqta_verify_receipt import verify_receipt, fetch_published_public_key
# One-time: fetch and pin the issuer's public key.
trusted = fetch_published_public_key()
# Per receipt:
result = verify_receipt(receipt, trusted_public_key=trusted)
if not result.valid:
raise ValueError(f"Receipt invalid: {result.reason}")
print("Receipt verified without contacting Aqta.")
API
verify_receipt(receipt, *, trusted_public_key=None, strict_fields=True) → VerifyResult
Verifies an attestation receipt against the declared (or pinned) public key.
trusted_public_key: base64url public key. If set, the receipt'spublic_keyfield must match byte for byte. Strongly recommended for production.strict_fields: ifTrue(default), any unknown top-level field causes rejection, per ATTESTATION-v1 §4.
Returns a VerifyResult with fields valid: bool and reason: Optional[str].
Never raises.
fetch_published_public_key(url=..., *, timeout=10.0) → str
Fetches the AqtaCore public key from
https://app.aqta.ai/security/pubkey.txt. Pass a custom URL for self-hosted
issuers.
Dependencies
cryptographyfor Ed25519 verification (pinned ≥ 42.0.0).
No other dependencies. Pure-Python spec checks, plus cryptography's
constant-time Ed25519 primitive.
Receipt format
See ATTESTATION-v1.
Licence
Apache-2.0. See LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aqta_verify_receipt-1.0.1.tar.gz.
File metadata
- Download URL: aqta_verify_receipt-1.0.1.tar.gz
- Upload date:
- Size: 6.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
656056fdcbffabd2d21750496d738eda91c7a06f8e39a3eeef6771be7f3df26d
|
|
| MD5 |
665d2a4c44795e5036c06aca5be12e82
|
|
| BLAKE2b-256 |
9857dc7946d988e5cbfdabd4f25af68f2d97c327e076419264c511eda0fb4c95
|
File details
Details for the file aqta_verify_receipt-1.0.1-py3-none-any.whl.
File metadata
- Download URL: aqta_verify_receipt-1.0.1-py3-none-any.whl
- Upload date:
- Size: 6.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
339a5b442026fecd7d4002174ee7f951a5c79dede91b5a7ad5ceafd3a39a4623
|
|
| MD5 |
dcfc722f7bf076f95404981d2e2c8d68
|
|
| BLAKE2b-256 |
3357ab2b28420c9ed2debc4f05a5a765565ab9bb6bc8b587b14d6e50190f6db4
|
