Buyers ask for an audit trail. You hand them a CSV of timestamps. They ask if the timestamps are tamper-evident. You hand them a SOC 2 report. None of that lets them verify a single agent action without your help.
Asqav now ships a public per-agent profile so anyone with the agent ID can pull the receipt history and check the signatures themselves. No login, no API key, no call back to your stack.
What is in the profile
Every agent registered against an Asqav org gets a stable URL of the form asqav.com/a/. The profile renders three things:
- The agent's identity claim, which is the agent name, owner org, and the public key fingerprint used for ML-DSA-65 signatures.
- A trust-level badge, L0 to L3, computed from policy coverage, receipt continuity, and incident history.
- A reverse-chronological list of recent signed receipts with action type, timestamp, and the verification status.
Each receipt links to the canonical JSON, the COSE_Sign1 form, and a one-click "verify in browser" path that pulls the public key, runs ML-DSA verification in WASM, and shows pass or fail.
The embed badge
The point of a public profile is that other people can point to it. Asqav ships an SVG badge and an iframe so you can drop trust evidence into a README, a docs page, or a procurement portal.
The SVG badge is a static image served from the API. It always reflects the current trust level, which means a regression in policy coverage updates the badge automatically the next time it is fetched.
[
](https://asqav.com/a/agent_abc123)
The iframe is the embed version of the full profile. It renders the latest receipts, the trust level, and the verify-in-browser link. Drop it in your repo or in a vendor security page and reviewers do not need to leave that page to check the signatures.
The embed sends a CSP frame-ancestors response that lets it render in any host. There is no JavaScript reaching out to your stack. The verifier path uses the public ML-DSA key and the canonical receipt format, so a reviewer can save the page and re-verify offline.
Why offline matters
An auditor or a procurement reviewer is rarely on the same network as the producer of the receipts. The whole point of a signed audit trail is that you can hand over the receipts and the public key and walk away. The profile, the badge, and the iframe are all wrappers around that property. There is no privileged endpoint, no rate-limited verification API, and no shared secret. The signatures are checked against a public key.
That is what makes this useful for EU AI Act Article 12 evidence packs, DORA operational resilience reviews, and SOC 2 system descriptions. The reviewer leaves the meeting able to spot-check any line in the trail.
Try it
- Public profile: asqav.com/a/demo
- Badge for the demo agent: badge.svg
- Embed it in your README using the iframe markup above.
The cryptography is the same ML-DSA-65 used everywhere else in Asqav. The new piece is making the verification surface public, so a buyer can check the chain without needing your help.
Top comments (0)