Veridra
Built for regulated environmentsEU AI ActNIST AI RMFSR 11-7ISO 42001 (mapped)SOC 2 (in progress)
PlatformSolutionsArchitectureTrustDevelopersCompanyRequest review
Developers · Tools

veridra-verify, and everything that proves us wrong.

The CLI an auditor uses to check our work. Open source, Apache 2.0, no Veridra account required.

An attestation you can only verify by asking the attester is a promise, not an attestation.

veridra-verify CLI

A static binary available via Homebrew, Docker, and as a Go module. Validates cryptographic signatures and Merkle inclusion proofs. Uses Ed25519 signatures, RFC 8785 canonical JSON, and validates against signed tree heads with witness co-signatures.

bash
# Validate a single signed decision
veridra-verify record path/to/decision.json

# Validate an entire evidence pack
veridra-verify pack path/to/evidence-pack.zip

# Detect a log fork between two STHs
veridra-verify log --consistency oldSTH newSTH

# Canonicalization-aware diff of two records
veridra-verify diff old.json new.json

Open-source components

  • veridra-verify (CLI) — Apache 2.0, Go, reproducible builds with signed checksums.
  • jcs-conformance — RFC 8785 test vectors under CC0.
  • trillian-witness-ref — Sigstore-compatible log witness reference implementation.
  • veridra-otel — OpenTelemetry instrumentation for SDKs.

Development aids

  • Sandbox tenants — free, isolated test environments with ephemeral signing keys.
  • Replay harness — signature stability testing across SDK versions and language boundaries.
  • Terraform and Helm modules — for on-premises deployments.
What 'open source' means here
Not a marketing verb
The verifier is Apache-licensed. The conformance vectors are CC0. The witness reference is buildable from source. If Veridra disappears tomorrow, every customer can still verify every historical attestation against the public keys they already hold. That's the design.
Why open source the verifier
The verifier must survive the attester
The verifier remains independently verifiable regardless of Veridra's operational status or future viability. An auditor, an adversary, or a court can run the same tool against the same public keys and the same log roots and get the same answer. That's what makes the attestation a regulator-admissible artifact rather than a vendor claim.
Talk to an engineer API reference SDKs