Receipt verification

Verify a cloakapps receipt

Paste or upload a receipt JSON. The page fetches the issuer's published JWKS, verifies the JWS signature locally in your browser, and shows you exactly what was attested. No cloakapps account required.

The page fetches the JWKS from the receipt's issuer URL at /.well-known/cloakapps-receipt-keys.json. Cross-origin fetches require the issuer to set CORS headers.

How verification works. Cloakapps receipts use JWS JSON Serialization with JCS canonicalization and ECDSA P-256 (ES256). The verifier:

  1. Parses the envelope (payload, protected, signature).
  2. Reads the kid and issuer.
  3. Fetches the issuer's public JWKS.
  4. Verifies the signature against SHA-256(protected + "." + payload) using the resolved EC public key.
  5. Renders the payload — operation, actor, resource, fingerprint, timestamp, key reference.

Spec: cloakapps-docs/mcp-server/receipts-spec.md. Self-host guide: receipts-self-host.md.