Verifiable Agent Output Specification
An open, public-domain specification for cryptographically signed AI agent receipts. Any party — auditor, customer, regulator — can confirm what an agent did, with which inputs, against which safety checks, without trusting the platform that produced it.
Every enterprise blocking AI deployment cites the same reason: “I can't prove what the model did, so I can't put it anywhere that matters.” Frontier labs make models smarter. Nobody's making agent outputs auditable. VAOS closes that gap with a single primitive: every output is signed by the issuing platform over a deterministic canonical projection of its inputs, model, safety checks, and outputs.
A reader holding the receipt can recompute the canonical projection and verify the signature against the platform's public verification endpoint — without the platform sharing its signing key. Same trust model as TLS / Let's Encrypt, applied to AI outputs.
HMAC-SHA256 over a byte-deterministic canonical projection. A single byte changed in input/output/safety = signature mismatch.
Any party with the public verifier endpoint can confirm authenticity. No platform lock-in. Works across vendors.
Built to satisfy EU AI Act Art. 12, POPIA s. 71, GDPR Art. 22 traceability requirements out of the box.
import { verifyRemote } from "@sovereign-matrix/vaos-verifier";
const receipt = await fetch(receiptUrl).then(r => r.json());
const { valid } = await verifyRemote(receipt, { baseUrl: issuerUrl });Zero dependencies. Node 18+, browsers, edge runtimes, Deno. MIT license — drop into any project.
| Algorithm | HMAC-SHA256 over canonical JSON |
| Signature envelope | v1=<64-char-lowercase-hex> |
| Canonicalization | Top-level field order locked; nested object keys recursively sorted; arrays preserve element order |
| Verification endpoint | POST /api/verify (open CORS, no auth) |
| Threat model | Tamper detection · cross-origin verifiability · NOT non-repudiation (extension planned in v2) |
| License | CC0 1.0 (spec) · MIT (reference impl) |
| Status | Draft — open for comment |
VAOS 1.0 is currently in open-comment phase. Endorsements from compliance bodies, audit firms, and AI infrastructure vendors arrive here as they are signed.
Interested in endorsing or implementing? spec@sovereignmatrix.agency
@sovereign-matrix/vaos-verifierTypeScriptMITREFERENCEPure TS + Web Crypto. Node 18+, browsers, edge, Deno. Zero dependencies.
POST /api/verifyHTTP—LIVEPublic verification endpoint hosted by Sovereign Matrix. Open CORS, no auth, rate-limited 60 req/min per IP.
GET /api/verify/badge.svg?id=<receipt-id>SVG—LIVEDrop-in shields-style badge for READMEs. Live signature check on every request.
<SovereignBadge id='...' />ReactMITREFERENCEDrop-in React component. SSR-safe. Light + dark themes.
npx @sovereign-matrix/agent-sdk verify <id>CLIMITREFERENCEOne-command third-party verification. Pretty + --json modes. Proper exit codes for shell pipelines.
We'll list you here, link your implementation, and cross-promote. The format becomes more valuable to everyone as more parties adopt it.
spec@sovereignmatrix.agencySpecification published under CC0 1.0 (public domain). Implementations published under MIT.