How trust is established
SONATE replaces trust-in-the-vendor with trust-in-the-artifact. Every AI interaction produces a signed receipt that any party can verify independently.
What the protocol proves
What was asked, what was returned
A canonical hash of the input and output payloads is signed into the receipt. In hash-only mode, the content itself never leaves the operator's trust boundary — only the hashes do.
How governance was applied
The policy decision and any constraints applied at execution time are recorded alongside the interaction, signed together. A receipt shows what was decided and how.
Sequence integrity over time
Each receipt is hash-chained to the prior receipt. Deletion, insertion, or reordering of receipts breaks the chain and is detectable by any verifier.
Signer identity
Receipts are signed with Ed25519. The signer identifier and public key are resolvable so any third party can verify without contacting the producer.
How verification works
A verifier needs three things: the receipt, the signer's public key, and the published specification. No contact with SONATE is required. Verification is a local cryptographic operation.
- Schema check. The receipt structurally conforms to the published Trust Receipt schema.
- Canonicalization. The receipt is normalised via RFC 8785 (JCS) to produce deterministic canonical bytes.
- Signature check. The Ed25519 signature verifies against the canonical bytes using the signer's public key.
- Chain check. Each receipt's prior-hash matches the previous receipt's ID.
- Receipt ID check. The recomputed SHA-256 over the canonical bytes equals the stated receipt ID.
Any step failing causes overall verification to fail. The MIT-licensed @sonate/verify-sdk implements this protocol.
What this protocol does not do
Honest framing matters. Trust Receipts are an evidence primitive, not a complete governance solution. They do not:
- —Monitor an agent's behaviour over time or score ongoing "trust"
- —Validate the semantic correctness of policy decisions
- —Compel a producer to disclose chains they have chosen to withhold
- —Protect against compromise of the signing key (key custody is operational)
Receipts compose with other controls (access management, policy review, model evaluation) to form a defensible audit posture.
Read the full specification
The Trust Receipt Whitepaper documents the full protocol — schema, canonicalization, signing, chaining, verification, threat model. The SDK and reference implementation are open source.