Skip to main content

Overview

Every call to POST /verify records a verification result in audit_verifications. This creates a persistent record that an attestation was verified, when it was verified, and whether it was valid.

Verification record fields

ColumnTypeDescription
execution_fingerprintstringLinks to the audit_decisions record
execution_idstringThe executionId from the attestation
validbooleanWhether verification passed
signature_verified"verified" | "failed" | "unknown"Ed25519 signature check result
runtime_verified"verified" | "failed" | "unknown"Runtime identity check result
schema_compatible"verified" | "failed" | "unknown"Schema version compatibility
verified_atstringISO 8601 timestamp of verification

Verification status on decision rows

The decision list (GET /audit/decisions) includes verification fields on each DecisionRow: 
const rows = await client.audit.decisions({ policyId: "claims-approval" });

for (const row of rows) {
  console.log(row.execution_id);
  console.log(row.verification_valid);   // true | false | null (not yet verified)
  console.log(row.signature_verified);   // "verified" | "failed" | "unknown"
  console.log(row.runtime_verified);     // "verified" | "failed" | "unknown"
  console.log(row.schema_compatible);    // "verified" | "failed" | "unknown"
  console.log(row.verified_at);          // ISO timestamp | null
}

Querying unverified decisions

Decisions where verification has not been run yet show verification_valid: null and verified_at: null. 
const decisions = await client.audit.decisions({ limit: 1000 });
const unverified = decisions.filter(d => d.verification_valid === null);

// Verify each one
for (const record of unverified) {
  const detail = await client.audit.decision(record.execution_id);
  if (detail.attestation) {
    const result = await client.verify(detail.attestation);
    console.log(`${record.execution_id}: ${result.valid}`);
  }
}

Verification statistics

const stats = await client.audit.stats();

console.log(stats.total_verifications);   // "12831"
console.log(stats.valid_verifications);   // "12831"
console.log(stats.invalid_verifications); // "0"
A non-zero invalid_verifications count warrants immediate investigation — it means one or more attestations failed signature verification after being produced.

Troubleshooting

verification_valid: null for all decisions — Verification records are only created when POST /verify is called. Decide whether to verify immediately after each execution (recommended) or in a batch process. invalid_verifications > 0 — At least one verification failed. Check the audit_verifications table directly for the failing records. Retrieve the full attestation and re-run verification to confirm. Investigate whether the attestation was tampered with or whether a key rotation caused the failure. Verification shows runtime_verified: "failed" — The attestation was produced by a different runtime version than the one performing verification. This is expected when the runtime is updated. Store historical public keys and use the correct one for the attestation’s signerKeyId.