Authorization decisions need to produce tamper-evident receipts — cryptographically signed records that capture the full context of each decision: what action was attempted, who initiated it, the session state, and what the system decided (and why). Each receipt is signed so it can be verified offline by a third party, and receipts are hash-chained together so that deletions and reorderings are detectable, not just modifications.
The point: the decision log becomes independently verifiable rather than something you just have to trust.
Signing
Signing algorithm (any of):
- Ed25519
- ECDSA P-256
- RSA-2048 minimum
What gets signed: canonical serialization of the receipt contents — meaning deterministic, reproducible byte representation.
Public keys must be available for offline verification.
Receipt contents
Each receipt must contain:
- Action: tool, operation, parameters, timestamp
- Context: session identifier, accumulated context at decision time
- Identity: human principal, service identity, agent identity, role/privilege scope
- Decision: result (ALLOW/DENY/MODIFY/STEP_UP/DEFER), matched policy, reason
- Approval (if applicable): approver identity, decision, timestamp
- Deferral (if applicable): deferral reason, resolution method, resolution timestamp
- Outcome: execution result, error details if failed
- Signature: cryptographic signature verifiable offline
Authorization decisions need to produce tamper-evident receipts — cryptographically signed records that capture the full context of each decision: what action was attempted, who initiated it, the session state, and what the system decided (and why). Each receipt is signed so it can be verified offline by a third party, and receipts are hash-chained together so that deletions and reorderings are detectable, not just modifications.
The point: the decision log becomes independently verifiable rather than something you just have to trust.
Signing
Signing algorithm (any of):
What gets signed: canonical serialization of the receipt contents — meaning deterministic, reproducible byte representation.
Public keys must be available for offline verification.
Receipt contents
Each receipt must contain: