DEV Community

Cover image for Audit-trail receipts you can verify offline
João André Gomes Marques
João André Gomes Marques

Posted on • Edited on • Originally published at asqav.com

Audit-trail receipts you can verify offline

#security #ai #opensource #tutorial

Buyers ask for an audit trail. You hand them a CSV of timestamps. They ask if the timestamps are tamper-evident. You hand them a SOC 2 report. None of that lets them verify a single agent action without your help.

Asqav now ships a public per-agent profile so anyone with the agent ID can pull the receipt history and check the signatures themselves. No login, no API key, no call back to your stack.

What is in the profile

Every agent registered against an Asqav org gets a stable URL of the form asqav.com/a/. The profile renders three things:

  1. The agent's identity, which is the agent name, the signature algorithm, and the public key used for verification.
  2. A running count of signed actions, served as an SVG badge you can embed anywhere.
  3. A reverse-chronological list of recent signed actions with action type and timestamp, plus a breakdown of the most common action types.

The history itself stays verifiable. Export the receipts and the agent's public key, and any ML-DSA implementation can check the signatures without talking to Asqav.

The embed badge

The point of a public profile is that other people can point to it. Asqav ships an SVG badge and an iframe so you can drop trust evidence into a README, a docs page, or a procurement portal.

The SVG badge is served straight from the API. It shows the agent's current count of signed actions, so the number is fresh every time someone loads the image.

[

](https://asqav.com/a/agent_abc123)
Enter fullscreen mode Exit fullscreen mode

The iframe is the embed version of the full profile. It renders the identity block, the badge, and the latest signed actions. Drop it in your repo or in a vendor security page and reviewers do not need to leave that page to check the signatures.
Enter fullscreen mode Exit fullscreen mode

The embed sends a CSP frame-ancestors response that lets it render in any host. There is no JavaScript reaching out to your stack. The receipts use the canonical format and a public ML-DSA key, so a reviewer can export them and re-verify offline.

Why offline matters

An auditor or a procurement reviewer is rarely on the same network as the producer of the receipts. The whole point of a signed audit trail is that you can hand over the receipts and the public key and walk away. The profile, the badge, and the iframe are all wrappers around that property. There is no privileged endpoint and no shared secret. The signatures are checked against a public key.

That is what makes this useful for EU AI Act Article 12 evidence packs, DORA operational resilience reviews, and SOC 2 system descriptions. The reviewer leaves the meeting able to spot-check any line in the trail.

Try it

  • Your agent's public profile lives at asqav.com/a/<agent_id>.
  • Its badge: api.asqav.com/api/v1/agents/<agent_id>/badge.svg
  • Embed it in your README using the iframe markup above.

The cryptography is the same ML-DSA-65 used everywhere else in Asqav. The new piece is making the verification surface public, so a buyer can check the chain without needing your help.

Top comments (0)