Verify a Hiperlinks Artefact

Every ratification and governance export from Hiperlinks is a signed Ed25519 envelope and an on-chain anchor on Base. Paste the digest from a certificate footer, or drop a signed JSON receipt to verify authenticity and walk the per-protocol chain back to first issuance.

Paste the digest from the certificate footer (`sha256:…`).
Paste a digest above, or drop a signed JSON receipt below to begin. The verifier confirms a Hiperlinks-issued artefact, walks its chain back to first issuance, and produces a downloadable verification report.

How verification works

Two layers of evidence travel with every artefact: an Ed25519 signature over a canonical header, and a SHA-256 digest of the payload anchored as transaction calldata on Base. You can check both without trusting Hiperlinks — the public key is published below and the chain is permanent.

Envelope shape

{
  "v": 1,
  "kid": "hiperlinks-<fingerprint>",
  "alg": "EdDSA",
  "issuedAt": "2026-04-24T14:22:00Z",
  "orgId": "<uuid>",
  "subject": "governance-export",
  "contentType": "text/csv" | "application/json",
  "content":   "<base64url of the payload bytes>",
  "digest":    "sha256:<hex>",
  "manifest":  { "protocols": N, "clauses": N, "signatories": N, ... },
  "signature": "<base64url detached Ed25519 signature>",
  "publicKey": "<base64url raw 32-byte Ed25519 public key>",
  "verifier":  "https://hiperlinks.io/verify"
}

What to check

  1. Digest: decode content from base64url and confirm sha256(bytes) === digest. This catches any tampering with the payload even if the signature is stripped.
  2. Signature: reconstruct the canonical string EXPORT|v=1|kid=<kid>|issuedAt=<iso>|orgId=<uuid>|digest=<digest> and verify the Ed25519 signature over it using the public key.
  3. Key pin (optional): if you've pinned our kid in your verifier, confirm the envelope's kid matches.
  4. On-chain anchor (optional): the digest of every export is anchored on Base. Scan for a transaction whose data begins with 0x484c01 ("HL" + version 1) followed by the 32-byte digest.

Reference verifier

We ship a small, dependency-free Node script so you can run verification in your own environment:

# apps/api/scripts/verify-export.ts
tsx scripts/verify-export.ts ./hiperlinks-governance-audit-2026-04-24.hls.json

# Pin the issuer key so a malicious envelope can't self-sign:
VERIFIER_PUBLIC_KEY=<base64url-raw-ed25519-pk> \
  tsx scripts/verify-export.ts ./export.hls.json

Key rotation

Hiperlinks rotates signing keys on a 90-day cadence. The kid field changes when the key rotates; previously valid envelopes keep verifying under the old key for 90 days after retirement. The list of current and recently-retired public keys is published at /.well-known/hiperlinks-keys.json.

Algorithm

Signatures use Ed25519 (RFC 8032). Compact (64-byte signatures), deterministic, and widely supported by standard libraries: WebCrypto in browsers, crypto.verifyin Node, libsodium, PyNaCl, java.security.Signaturewith JDK 15+. No parameters to misconfigure.

Questions about verification? Email compliance@hiperlinks.io.

Verify a Signed Export · Hiperlinks