Docs / Verify
Verify the ledger yourself
An audit trail you have to trust is not an audit trail. Every decision Countersign makes lands in an append-only, hash-chained, Ed25519-signed ledger — and any entry in it can be proven, offline, by a third party who trusts nothing about us. Trust is verification, not faith.
What you can prove
The ledger publishes an RFC 6962 Merkle inclusion proof for any row, committed under a signed checkpoint. With the proof bundle and the public key, you can independently confirm three things:
- The row hashes as claimed — its payload recomputes to the stored payload hash, and the hash chain from the previous row is intact.
- The row is included — the Merkle audit path folds up to the checkpoint's committed root.
- The checkpoint is authentic — its signature verifies against Countersign's published Ed25519 key over the versioned checkpoint message.
Tamper with the payload, the proof path, or the root and verification fails. There is no way to forge an entry into a committed checkpoint without the signing key.
Pull a proof from the live ledger
# the public key — GET /ledger returns it alongside the rows
curl -s https://app.countersign.network/ledger \
-H "authorization: Bearer $KEY" | jq .publicKey
# an inclusion proof for one row (record + Merkle path + signed checkpoint + key)
curl -s https://app.countersign.network/ledger/proof/2 \
-H "authorization: Bearer $KEY" > proof.json
Verify it offline — no trust in Countersign
# zero-install; the CLI does all the crypto locally
npx @countersign/verify proof.json
# row #2 of 52 (checkpoint ts …)
# chain hashes recompute ✓
# Merkle inclusion ✓
# checkpoint signature ✓
# VERIFIED — this entry is committed by the ledger.
Exit codes are CI-friendly: 0 verified, 1 tampered (do not trust), 2 malformed input. So npx @countersign/verify proof.json && release-funds refuses to proceed on a proof that doesn't check out. Pin the key you expect with --public-key <base64> to catch a swapped signer, or the root with --root <hex>.
Why this matters
The ledger is three things at once: the audit trail (what every agent actually did), the compliance artifact (a signed, tamper-evident record), and — because it captures exactly what was evaluated — the usage meter. Making it independently verifiable means none of those rests on trusting the operator. A neutral control plane earns the "neutral" by being checkable. Checkpoint roots also carry an on-chain / transparency-log anchoring seam, so history can be pinned to a witness outside Countersign entirely.
Try it in 60 seconds — no account, no human
Self-serve key, an isolated sandbox tenant with a three-backend demo fleet, testnet only.
Get a free key → Watch the freeze GitHub