Transparency Log
Everything you need to verify ProlixoTech evidence bundles offline. No account, no API key, no trust required.
Trust Anchor
All ProlixoTech receipts are signed using AWS KMS with ECDSA P-256. This is the public key identity you verify against.
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1umoZJKV/P++ILkD3LzHn4GcYfxn
sTF0AR+tkNCwunMyPMtcr8ntJu+yqTR5IA+VS/CoV+KkwoP6FmMQ40h+OA==
-----END PUBLIC KEY-----
aws kms get-public-key --key-id alias/prolixo-evidence-signing --region us-east-1Verify Offline Walkthrough
Every export bundle is self-contained. Here's how to verify one without calling any ProlixoTech API.
Extract the bundle
Export bundles are ZIP files containing:
evidence-bundle/
receipt.json # The signed evidence record
merkle-proof.json # Inclusion proof in daily tree
daily-root.json # Signed root for that day
trust-anchor.json # Public key identity
VERIFY.md # Step-by-step instructionsVerify the receipt signature
Recompute the digest and check the KMS signature:
# 1. Canonicalize the payload (RFC 8785 style)
canonical = json.dumps(receipt["payload"], sort_keys=True,
separators=(",", ":"), ensure_ascii=False)
# 2. Hash it
digest = hashlib.sha256(canonical.encode()).digest()
# 3. Verify ECDSA signature against public key
# Use receipt["signature_der_b64"] and trust-anchor public key
public_key.verify(signature, digest, ec.ECDSA(hashes.SHA256()))Verify Merkle inclusion
Confirm the receipt is in the daily Merkle tree:
# The merkle-proof.json contains:
{
"leaf_hash": "base64url-encoded-receipt-digest",
"proof": ["hash1", "hash2", ...], # sibling hashes
"leaf_index": 42,
"tree_size": 1024
}
# Walk the proof path to reconstruct the root
computed_root = verify_merkle_proof(leaf_hash, proof, leaf_index)
assert computed_root == daily_root["root_hash"]Verify daily root signature
The daily root is also signed with the same KMS key:
# daily-root.json contains:
{
"day": "2026-01-20",
"root_hash": "base64url-encoded",
"signature_der_b64": "...",
"signed_at": "2026-01-20T23:59:59Z"
}
# Verify this signature the same way as the receiptKey insight: The trust anchor (public key) is the only artifact you need from us. Once you have it, all verification is pure math using standard ECDSA P-256 and SHA-256. Exported bundles remain independently verifiable without any ProlixoTech API or account, as long as the underlying cryptographic algorithms are considered secure (current NIST guidance: through at least 2030).
Sample Export Bundle
Below is a preview of what a real signed receipt looks like. You can export your own bundles via the Exports page and verify them using the reference code further down.
{
"event_id": "sample-2026-01-20-demo",
"tenant_id": "demo-tenant",
"event_type": "ai_inference",
"payload": {
"model_id": "gpt-4",
"input_hash": "sha256:a1b2c3d4...",
"output_hash": "sha256:e5f6g7h8...",
"policy_version": "2.1.0"
},
"digest_b64url": "dGhpcyBpcyBhIHNhbXBsZSBkaWdlc3Q",
"signature_der_b64": "MEUCIQDx...sample...signature",
"kms_key_id": "alias/prolixo-evidence-signing",
"signing_alg": "ECDSA_SHA_256",
"received_at": 1737331200
}Reference Verification Code
Complete Python script to verify a bundle offline:
import json, hashlib, base64
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import ec
def verify_bundle(bundle_path):
# Load files
with open(f"{bundle_path}/receipt.json") as f:
receipt = json.load(f)
with open(f"{bundle_path}/trust-anchor.json") as f:
anchor = json.load(f)
# Load public key
pub_key = serialization.load_pem_public_key(
anchor["public_key_pem"].encode()
)
# Canonicalize and hash
canonical = json.dumps(
receipt["payload"],
sort_keys=True,
separators=(",", ":"),
ensure_ascii=False
)
digest = hashlib.sha256(canonical.encode()).digest()
# Decode signature
sig = base64.urlsafe_b64decode(
receipt["signature_der_b64"] + "=="
)
# Verify
try:
pub_key.verify(sig, digest, ec.ECDSA(hashes.SHA256()))
print("VALID - Signature verified")
return True
except Exception as e:
print(f"INVALID - {e}")
return False
# Usage
verify_bundle("./evidence-bundle")